* Set and verify a nonce with OIDC
* Create a CSRF object to manage nonces & cookies
* Add missing generic cookie unit tests
* Add config flag to control OIDC SkipNonce
* Send hashed nonces in authentication requests
* Encrypt the CSRF cookie
* Add clarity to naming & add more helper methods
* Make CSRF an interface and keep underlying nonces private
* Add ReverseProxy scope to cookie tests
* Align to new 1.16 SameSite cookie default
* Perform SecretBytes conversion on CSRF cookie crypto
* Make state encoding signatures consistent
* Mock time in CSRF struct via Clock
* Improve InsecureSkipNonce docstring
* Allow complex structure for groups in group claim.
* Remove unused constant
* Update variable name
* Fix linting
* Use helper method
* Log error if not possible to append group value
* Add missing import
* Use own logger
* Fix imports
* Remove Dockerfile for testing
* Add Changelog entry
* Use formatGroup helper method and update tests
* Return string instead of string array
* Remove groups variable
* Return error in format method.
* Reorder imports
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
`findClaimsFromIDToken` would always have a `nil` access token and not be
able to hit the userinfo endpoint in Bearer case. If access token is nil,
default to legacy `session.Email = claim.Subject` that all JWT bearers used
to have, even if a valid profileURL is present.
This reverts to functionality before #499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before #499.
* Add -user-id-claim to support other claims than email
Fix#431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".
- Add the option `user-id-claim` (defaults to email)
- OIDC extracts this claim into session.Email (to be renamed later)
- providers: add `CreateSessionStateFromBearerToken` with a default impl taken from
`GetJwtSession` and overridden by oidc to respect `user-id-claim`
Once #466 is merged, I can continue to rename SessionState.Email to .UserID
and add HTTP headers with a corresponding name.
* Apply suggestions from code review
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Review feedback: Don't extract claims manually
Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.
* Fix indentation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Upgrade base image tags and golangci-lint
* Upgrade golang and golangci-lint in travis-ci
* fix: tests, pointed out by golangci-lint and format files
* Upgrade dependencies
* update changelog
* fix: tests related to https://github.com/pusher/oauth2_proxy/pull/418
* Separate tests using go version build tags
* Update CHANGELOG
* Revert "Separate tests using go version build tags"
This reverts commit 9b7e65eb90cae954dc7b6316345d3207205d488a.
* fix test to support go1.14 and go1.13
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* cleaned up source to make golangci-lint pass
* providers/azure_test.go: use build in POST constant
* options_test.go: do not export unnecessary variables
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add support for preferred username.
* Add missing TOC entries.
* Add note about preferred_username support.
* Adjust tests.
* Check on not implemented error for GetPreferredUsername() call.
Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* OIDC Token Refresh works without id_tokens
Addresses https://github.com/pusher/oauth2_proxy/issues/318
Refactoring the OIDC provider so that the refresh process works when there are
no id_tokens present in the response. Added unit tests to the oidc_test.go to prove
the redeem and refresh still work.
The expiry time of the session is now taken from the outh token expiry and not
the id_token (preventing stale access_tokens in sessions).
* Refactoring the to use a KeySetStub in the oidc_test.go. This allows the
elimination of the slightly contrived function passing elements used
previously. (This change is being applied to address the bug #318)
* Changes as per the PR comments and preparing for 5.x release
* Fixup changelog
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Current OIDC implementation asserts that user email check must come
from JWT token claims. OIDC specification also allows for source
of user email to be fetched from userinfo profile endpoint.
http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
* First, attempt to retrieve email from JWT token claims. Then fall back to
requesting email from userinfo endpoint.
* Don't fallback to subject for email
https://github.com/bitly/oauth2_proxy/pull/481
See the README for usage with Dex or any other OIDC provider.
To test run a backend:
python3 -m http.server
Run dex and modify the example config with the proxy callback:
go get github.com/coreos/dex/cmd/dex
cd $GOPATH/src/github.com/coreos/dex
sed -i.bak \
's|http://127.0.0.1:5555/callback|http://127.0.0.1:5555/oauth2/callback|g' \
examples/config-dev.yaml
make
./bin/dex serve examples/config-dev.yaml
Then run the oauth2_proxy
oauth2_proxy \
--oidc-issuer-url http://127.0.0.1:5556/dex \
--upstream http://localhost:8000 \
--client-id example-app \
--client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \
--cookie-secret foo \
--email-domain '*' \
--http-address http://127.0.0.1:5555 \
--redirect-url http://127.0.0.1:5555/oauth2/callback \
--cookie-secure=false
Login with the username/password "admin@example.com:password"
