1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-28 09:08:44 +02:00
Commit Graph

189 Commits

Author SHA1 Message Date
Mitsuo Heijo
dd05e7ff0b
Add new linters (#486)
* add new linters and fix issues

* fix deprecated warnings

* simplify return

* update CHANGELOG

* fix staticcheck issues

* remove a deprecated linter, minor fixes of variable initialization
2020-04-14 09:36:44 +01:00
Joel Speed
fcd52e042e
Warn users when session cookies are split 2020-04-12 12:01:38 +01:00
Eric Dahlseng
a659b9558e
Allow multiple cookie domains to be specified (#412)
* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 12:00:44 +01:00
Mitsuo Heijo
7f72a22227
feature: switch Azure AD graph API to Microsoft Graph API (#440)
* feature: switch Azure AD graph API to Microsoft Graph API

* Update CHANGELOG

* Expand Breaking Changes notice

* Update CHANGELOG.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* fix: use constant http method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 11:53:30 +01:00
Moraru Costel
b0b87563dc
Add set basic auth param (#413)
* addint redirect capability to sign_out

* updating changelog

* Add a new param to set the Authorization header to up-stream systems as Basic user:password

* Resolving code review

* mutual exclusiv changes for Basic and Bearer Authorization header

* Fixed the merge mixup and comment error

* Updated changelog and fixed typo

* Adding the new entry in changelog

Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>
2020-04-10 14:41:28 +01:00
Mitsuo Heijo
7efc162aaa
Prevent browser caching during auth flow (#453)
* Prevent browser caching during auth flow

* simplify no-cache logic, add tests and update changelog

* checking noCacheHeaders does not exists in response headers from upstream

* remove unnecessary codes

* add no-cache headers in SignInPage and OAuthStart for proxy mode

https://github.com/oauth2-proxy/oauth2-proxy/pull/453#discussion_r405072222
2020-04-09 15:39:07 +01:00
Trevor Box
7c3efe4f42
Update okta doc (#481)
* updated Okta docs and added localhost example

* add changelog entry

* added pull request # to changelog

Co-authored-by: tbox <tbox@redhat.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-08 21:28:00 +01:00
Josh Bielick
f9f98cb3a7
print full error message when non-api error (#474)
when type asserting fails here, err is reassigned with nil and the
default block of the switch prints out <nil> in the error message. This
makes debugging a configuration or access token issue difficult

The particular error this surfaces is:

Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

Signed-off-by: Josh Bielick <jbielick@gmail.com>
2020-04-06 09:27:24 +01:00
Mitsuo Heijo
c7bfbdecef
Implement graceful shutdown and propagate request context (#468)
* feature: Implement graceful shutdown

Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.

Added handling of Unix signals to http server.

Upgrade go-redis/redis to v7.

* Update dependencies

- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert

* add doc for  wrapper interface

* Update CHANGELOG.md

* fix: upgrade fsnotify to v1.4.9

* fix: remove unnessary logging

* fix: wait until  all connections have been closed

* refactor: move chan to main for testing

* add assert to check if stop chan is empty

* add an idiomatic for sync.WaitGroup with timeout
2020-04-04 16:12:38 +01:00
Siim Tiilen
bdc686103e
Allow html in banner message (#462)
* allow html in banner message

* Fix changelog (move under new version)
2020-04-04 15:01:11 +01:00
Phil Taprogge
3f7837b955
Add logging in case of invalid redirects (#471)
* Add logging in case of invalid redirects

* update changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-02 09:51:38 +01:00
Theo
8641bc4738
Update docs deps 2020-03-29 17:34:17 +01:00
Joel Speed
f832eb1446
Update changelog and readme to reflect migration 2020-03-29 16:24:41 +01:00
Joel Speed
802754caad
Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:40:10 +01:00
Joel Speed
9dcd8255bf
Update CHANGELOG for v5.1.0 release 2020-03-29 13:19:38 +01:00
Mitsuo Heijo
362cdf7713
Fix http.Cookie SameSite is not copied. (#450)
* fix: http.Cookie SameSite is not copied.

* Update CHANGELOG.md
2020-03-17 18:48:52 +00:00
Jakub Holy
3108f765a5
Fix #381, expose acr_values to all providers (#445) 2020-03-17 17:57:33 +00:00
Erico Fusco
4d7349f9c6
Update CHANGELOG.md (#446)
Fix PR link for #435
2020-03-16 10:14:38 +00:00
Mitsuo Heijo
81b9a63e51
Support Go 1.14 (#419)
* Upgrade base image tags and golangci-lint

* Upgrade golang and golangci-lint in travis-ci

* fix:  tests, pointed out by golangci-lint and format files

* Upgrade dependencies

* update changelog

* fix: tests related to https://github.com/pusher/oauth2_proxy/pull/418

* Separate tests using go version build tags

* Update CHANGELOG

* Revert "Separate tests using go version build tags"

This reverts commit 9b7e65eb90cae954dc7b6316345d3207205d488a.

* fix test to support go1.14 and go1.13

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-14 10:14:15 +00:00
Jakub Holy
b1c81e2abe
Support prompt in addition to auth-prompt (#444)
Fix #380
2020-03-14 09:53:43 +00:00
Erico Fusco
8d0149ccf8
Fix issue with group validation called on every request (#435)
* Revert group validation on every request

* Fix syntax

* Remove unit tests associated with reverted change

* Update CHANGELOG
2020-03-13 20:10:38 +00:00
Jordan Crawford
4cd43ef397 Support the PreferEmailToUser option on PassUserHeaders
Previously in #401, an option was added to support forwarding the email
address as the username to the upstream service when the PassBasicAuth
option is used.

The PassBasicAuth option is not appropriate for all users, with PassUserHeaders
allowing very similar functionality without specifying a basic auth headers.

The PreferEmailToUser option has been expanded to support the PassUserHeaders
option.
2020-03-04 11:47:13 +13:00
D. Spindel
51f4d88028
Add option to prefer an Email address to a Username (#401)
With some providers the Username is an upstream Unique ID, like fex. in the
case of Google.

When matching this with downstream databases, it's sometimes preferred to use
the email address as the  known identifier.

However, when _mixing_ this with sometimes other sources, like htaccess, which
doesn't have a concept of an email address, it can turn difficult.

This change makes the headers _prefer_ to use the Email address, if such exists,
for the Username identifier when passing data to downstream services.

Defaults to Off.

Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-29 17:38:32 +00:00
Timo Beckers
907de4e141
Use OAuthProxy.GetRedirect in /sign_in, honoring the 'rd' query parameter (#405)
* Use OAuthProxy.GetRedirect in /sign_in, honoring the 'rd' query parameter

* CHANGELOG.md - Add a changelog entry for #405
2020-02-28 09:59:27 +00:00
Luke Tainton
4f553bcfc8
Add nsswitch.conf to Docker image (#400)
* Add nsswitch.conf to Docker image

Created nsswitch.conf to use locally defined translations before DNS. Copied to /etc/nsswitch.conf in the image.

* Add new line

* Updated Changelog

Co-authored-by: Dan Bond <danbond@protonmail.com>
2020-02-23 18:16:18 +00:00
Iain Buclaw
2033ce81c3
Implement ValidateSessionState for GitHubProvider (#385)
Refactors the setting of the Authorization header into getGitHubHeader.

Refs #382

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-15 15:11:14 +00:00
Pavel Kirichenko
f2661c47ba
Support for client secret file. (#355)
* added ClientSecretFile in ProviderData

* add documentation notes on client secret file

* added Changelog entry for Client Secret File PR

* fixing configuration.md

* addressing PR issue of ClientSecret property naming

* Update providers/provider_data.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* corrected changelog entry

* fixed typo in GetClientSecret

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-15 13:44:39 +00:00
Devin Nemec
3a843f815d
GitHub Provider - Fallback to secondary verified email (#372)
* Fallback to secondary verified email

* Add change to changelog
2020-02-15 13:36:28 +00:00
Ben Letton
10adb5c516
Support optional id_tokens in refresh responses (#335)
* OIDC Token Refresh works without id_tokens

Addresses https://github.com/pusher/oauth2_proxy/issues/318

Refactoring the OIDC provider so that the refresh process works when there are
no id_tokens present in the response. Added unit tests to the oidc_test.go to prove
the redeem and refresh still work.

The expiry time of the session is now taken from the outh token expiry and not
the id_token (preventing stale access_tokens in sessions).

* Refactoring the to use a KeySetStub in the oidc_test.go. This allows the
elimination of the slightly contrived function passing elements used
previously. (This change is being applied to address the bug #318)

* Changes as per the PR comments and preparing for 5.x release

* Fixup changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 18:09:30 +00:00
Yan Yao
18d20364a8
Extension of Redis Session Store to Support Redis Cluster (#363)
* Extend the redis session store to support redis cluster

* rename function newRedisClient to newRedisCmdable

* update docs about redis cluster as session store

* update autocomplete script with redis cluster options

* add check about conflict between option redis-use-sentinel and redis-use-cluster

* update change log

* Update docs/configuration/sessions.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/sessions/redis/redis_store.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* add the dropped option back

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 17:59:12 +00:00
Felix Fontein
9670f54dd0
Fix login page fragment handling after soft reload on Firefox (#353)
* Fix login page fragment handling after soft reload on Firefox.

* Add comments.

* Move changelog entry to correct place.

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Felix Fontein <felix@fontein.de>
2020-01-31 11:11:15 +00:00
David Stark
3b0e8c3cb3
Open redirect (security vulnerability) notes 2020-01-29 12:45:19 +00:00
David Stark
e21f09817e
note about open redirect vulneravility 2020-01-29 12:36:11 +00:00
David Stark
c32a7d8e2c
Release v5.0.0
Changelog updated
2020-01-29 12:10:03 +00:00
Martin Campbell
d9362d3bb9 Add reverse proxy setting (#331)
* Add reverse proxy setting (#321)
2020-01-24 17:54:13 +00:00
Joel Speed
17d9961cb9
Merge branch 'master' into pgroudas/add-samesite-cookie-options 2020-01-20 19:21:51 +00:00
Dan Bond
11cc396059
Merge branch 'master' into kamal/whitelist-redirects-with-ports 2020-01-15 14:03:17 +00:00
Kamal Nasser
eee4b55e0f DigitalOcean Auth Provider (#351)
* DigitalOcean provider

* documentation: digitalocean provider

* changelog: digitalocean provider

* codeowners: digitalocean provider
2020-01-15 11:09:34 +00:00
Dan Bond
625909e445
Merge branch 'master' into kamal/whitelist-redirects-with-ports 2020-01-10 09:48:25 +00:00
sushiMix
f94dee6f0d Update keycloak provider configuration doc (#347)
* update keycloak provider configuration doc

* Add changelog entry
2020-01-10 09:41:08 +00:00
Kamal Nasser
5489d1624e
Merge branch 'master' into kamal/whitelist-redirects-with-ports 2020-01-08 22:24:56 +02:00
Paul Groudas
afb7247ad5 Add item to CHANGELOG for SameSite configuration. 2020-01-06 12:21:52 -05:00
Joel Speed
effe1e0bdb
Fix changelog entry release 2019-12-17 12:17:05 +00:00
Joel Speed
3a8b33a017
Merge branch 'master' into nextcloud-provider 2019-12-17 11:56:43 +00:00
Dan Bond
ef8b7b5e25
dist.sh: use sha256sum (#325)
* dist.sh: use sha256sum

* update CHANGELOG
2019-12-10 17:24:15 +00:00
Dan Bond
8165f6c483
Update CHANGELOG for v4.1.0 (#323) 2019-12-10 16:34:33 +00:00
Florian Kaiser
f6790265e1 dist.sh: Add build for FreeBSD (#317) 2019-11-26 16:38:22 +00:00
Casey Link
227ea5da44 Add Nextcloud provider (#179) 2019-11-25 18:47:21 +01:00
Felix Fontein
11205c7399 Allow to change provider's name (#296)
* Allow to change provider's name.

* Add changelog entry.

* Linting.

* provider-name -> provider-display-name.

* Add flag in main.go.

* Update CHANGELOG.md
2019-11-25 17:20:37 +00:00
Moraru Costel
ca0b8375da Add redirect capability to sign_out (#314)
* addint redirect capability to sign_out

* updating changelog
2019-11-19 17:17:26 +00:00