This reverts to functionality before #499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before #499.
* Centralize Ticket management of persistent stores
persistence package with Manager & Ticket will handle
all the details about keys, secrets, ticket into cookies,
etc. Persistent stores just need to pass Save, Load &
Clear function handles to the persistent manager now.
* Shift to persistence.Manager wrapping a persistence.Store
* Break up the Redis client builder logic
* Move error messages to Store from Manager
* Convert ticket to private for Manager use only
* Add persistence Manager & ticket tests
* Make a custom MockStore that handles time FastForwards
* Strip X-Forwarded auth headers from whitelisted paths
For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).
Only x-Forwarded headers stripped, left the Authorization header
untouched.
* Strip authorization header if it would be set
* Improve TestStripAuthHeaders test table
* Improve --skip-auth-strip-headers flag documentation
* Encode sessions with MsgPack + LZ4
Assumes ciphers are now mandatory per #414. Cookie & Redis sessions
can fallback to V5 style JSON in error cases. TODO: session_state.go
unit tests & new unit tests for Legacy fallback scenarios.
* Only compress encoded sessions with Cookie Store
* Cleanup msgpack + lz4 error handling
* Change NewBase64Cipher to take in an existing Cipher
* Add msgpack & lz4 session state tests
* Add required options for oauthproxy tests
More aggressively assert.NoError on all
validation.Validate(opts) calls to enforce legal
options in all our tests.
Add additional NoError checks wherever error return
values were ignored.
* Remove support for uncompressed session state fields
* Improve error verbosity & add session state tests
* Ensure all marshalled sessions are valid
Invalid CFB decryptions can result in garbage data
that 1/100 times might cause message pack unmarshal
to not fail and instead return an empty session.
This adds more rigor to make sure legacy sessions
cause appropriate errors.
* Add tests for legacy V5 session decoding
Refactor common legacy JSON test cases to a
legacy helpers area under session store tests.
* Make ValidateSession a struct method & add CHANGELOG entry
* Improve SessionState error & comments verbosity
* Move legacy session test helpers to sessions pkg
Placing these helpers under the sessions pkg removed
all the circular import uses in housing it under the
session store area.
* Improve SignatureAuthenticator test helper formatting
* Make redis.legacyV5DecodeSession internal
* Make LegacyV5TestCase test table public for linter
* Implements --ip-whitelist option
* Included IPWhitelist option to allow one-or-more selected CIDR ranges
to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.
* Renamed IPWhitelist ipCIDRSet
* Fixed unessesary pointer usage in ipCIDRSet
* Update CHANGELOG.md
* Update CHANGELOG.md
* Updated to not use err.Error() in printf statements
* Imrpoved language for --ip-whitelist descriptions.
* Improve IP whitelist options error messages
* Clarify options single-host normalization
* Wrote a book about ipCIDRSet
* Added comment to IsWhitelistedIP in oauthproxy.go
* Rewrite oauthproxy test case as table driven
* oops
* Support whitelisting by low-level remote address
* Added more test-cases, improved descriptions
* Move ip_cidr_set.go to pkg/ip/net_set.go
* Add more whitelist test use cases.
* Oops
* Use subtests for TestIPWhitelist
* Add minimal tests for ip.NetSet
* Use switch statment
* Renamed ip-whitelist to whitelist-ip
* Update documentation with a warning.
* Update pkg/apis/options/options.go
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* fix fmt
* Move ParseIPNet into abstraction
* Add warning in case of --reverse-proxy
* Update pkg/validation/options_test.go
* Rename --whitelist-ip to --trusted-ip
* Update oauthproxy.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* fix
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add req.host to targetURL when redirecting to https
The req.URL.Host might not be present when redirecting to https if the
given req.URL is something like "/". In such scenario, the req.Host is
still present and valid.
This commit adds the original req.Host to the targetURL before returning
the 308 status, to avoid having a `Location: https:///` in the response.
* Bring back empty line
* Wrap the setting of targetURL.Host in a condition
* Add a comment to the test explaining why the redirectURL includes example.com
* Add changelog entry
A blank user agent is considered == to an empty string. When no -ping-user-agent option is specified, this is considered to be an empty string.
This reveals two problems:
- When no ping-user-agent is specified, main.go sets up a health check user agent of ""
- When no user agent is specified, the empty string is still checked against the health check user agents.
Now the health check middleware ignores blank user agents and paths in order to sanitise it's input to avoid this issue.
Additional tests have been added to verify these situations.
Moves the logic for redirecting to HTTPs to a middleware package and adds tests for this logic.
Also makes the functionality more useful, previously it always redirected to the HTTPS address of the proxy, which may not have been intended, now it will redirect based on if a port is provided in the URL (assume public facing 80 to 443 or 4180 to 8443 for example)
* Changed how gitlab-group is parsed, from string to []string
See #637
* Point out that gitlab-group can be a list
See #637
* Reflect to the []string change on pkg/apis/options/options.go
See #637
* Move cfg option gitlab_group to gitlab_groups
See #637
* Renamed Group to Groups
See #637
* Reflect the change on gitlab.go as well
See #637
* Added #639
* Added the author of #639 to the CHANGELOG
* Add the gitlab_groups env change to CHANGELOG.md
See #639
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Adding one more example - keycloak - alongside with dex IDP.
* don't expose keycloak and proxy ports to the host
* specify email-domain list option in documentation
* get rid of nginx and socat to simplify the example as per https://github.com/oauth2-proxy/oauth2-proxy/pull/604#issuecomment-640054390
* get rid of the scripts - use static file for keycloak startup
* changelog entry
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add an option to allow health checks based on User-Agent.
* Formatting fix
* Rename field and avoid unnecessary interface.
* Skip the redirect fix so it can be put into a different PR.
* Add CHANGELOG entry
* Adding a couple tests for the PingUserAgent option.
* Parse Redis cluster and sentinel urls
* Add changelog entry for #573
* Add unit tests for redis session store
* Use %v for error fmt
Co-authored-by: Amnay Mokhtari <amnay.mokhtari@adevinta.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Refactor the utils package to other areas
Move cookieSession functions to cookie session store
& align the double implementation of SecretBytes to be
united and housed under encryption
* Remove unused Provider SessionFromCookie/CookieForSession
These implementations aren't used, these are handled in the cookie store.
* Add changelog entry for session/utils refactor
* Implements -real-client-ip-header option.
* The -real-client-ip-header determines what HTTP header is used for
determining the "real client IP" of the remote client.
* The -real-client-ip-header option supports the following headers:
X-Forwarded-For X-ProxyUser-IP and X-Real-IP (default).
* Introduces new realClientIPParser interface to allow for multiple
polymorphic classes to decide how to determine the real client IP.
* TODO: implement the more standard, but more complex `Forwarded` HTTP
header.
* Corrected order of expected/actual in test cases
* Improved error message in getRemoteIP
* Add tests for getRemoteIP and getClientString
* Add comment explaining splitting of header
* Update documentation on -real-client-ip-header w/o -reverse-proxy
* Add PR number in changelog.
* Fix typo repeated word: "it"
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Update extended configuration language
* Simplify the language around dependance on -reverse-proxy
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Added completions
* Reorder real client IP header options
* Update CHANGELOG.md
* Apply suggestions from code review
Co-authored-by: Isabelle COWAN-BERGMAN <Izzette@users.noreply.github.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
* Add basic string functions to templates
Co-authored-by: Oliver <oliver006@users.noreply.github.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
* Add -user-id-claim to support other claims than email
Fix#431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".
- Add the option `user-id-claim` (defaults to email)
- OIDC extracts this claim into session.Email (to be renamed later)
- providers: add `CreateSessionStateFromBearerToken` with a default impl taken from
`GetJwtSession` and overridden by oidc to respect `user-id-claim`
Once #466 is merged, I can continue to rename SessionState.Email to .UserID
and add HTTP headers with a corresponding name.
* Apply suggestions from code review
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Review feedback: Don't extract claims manually
Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.
* Fix indentation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Allow the OIDC issuer verification to be skipped if desired.
* Remove stale warning
* Add CHANGELOG entry
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
Co-authored-by: Dan Bond <pm@danbond.io>
* Allow multiple cookie domains to be specified
* Use X-Forwarded-Host, if it exists, when selecting cookie domain
* Perform cookie domain sorting in config validation phase
* Extract get domain cookies to a single function
* Update pkg/cookies/cookies.go
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Update changelog
Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* feature: switch Azure AD graph API to Microsoft Graph API
* Update CHANGELOG
* Expand Breaking Changes notice
* Update CHANGELOG.md
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* fix: use constant http method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* addint redirect capability to sign_out
* updating changelog
* Add a new param to set the Authorization header to up-stream systems as Basic user:password
* Resolving code review
* mutual exclusiv changes for Basic and Bearer Authorization header
* Fixed the merge mixup and comment error
* Updated changelog and fixed typo
* Adding the new entry in changelog
Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>
* Prevent browser caching during auth flow
* simplify no-cache logic, add tests and update changelog
* checking noCacheHeaders does not exists in response headers from upstream
* remove unnecessary codes
* add no-cache headers in SignInPage and OAuthStart for proxy mode
https://github.com/oauth2-proxy/oauth2-proxy/pull/453#discussion_r405072222
when type asserting fails here, err is reassigned with nil and the
default block of the switch prints out <nil> in the error message. This
makes debugging a configuration or access token issue difficult
The particular error this surfaces is:
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
Signed-off-by: Josh Bielick <jbielick@gmail.com>
* feature: Implement graceful shutdown
Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.
Added handling of Unix signals to http server.
Upgrade go-redis/redis to v7.
* Update dependencies
- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert
* add doc for wrapper interface
* Update CHANGELOG.md
* fix: upgrade fsnotify to v1.4.9
* fix: remove unnessary logging
* fix: wait until all connections have been closed
* refactor: move chan to main for testing
* add assert to check if stop chan is empty
* add an idiomatic for sync.WaitGroup with timeout
* Upgrade base image tags and golangci-lint
* Upgrade golang and golangci-lint in travis-ci
* fix: tests, pointed out by golangci-lint and format files
* Upgrade dependencies
* update changelog
* fix: tests related to https://github.com/pusher/oauth2_proxy/pull/418
* Separate tests using go version build tags
* Update CHANGELOG
* Revert "Separate tests using go version build tags"
This reverts commit 9b7e65eb90cae954dc7b6316345d3207205d488a.
* fix test to support go1.14 and go1.13
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Previously in #401, an option was added to support forwarding the email
address as the username to the upstream service when the PassBasicAuth
option is used.
The PassBasicAuth option is not appropriate for all users, with PassUserHeaders
allowing very similar functionality without specifying a basic auth headers.
The PreferEmailToUser option has been expanded to support the PassUserHeaders
option.
With some providers the Username is an upstream Unique ID, like fex. in the
case of Google.
When matching this with downstream databases, it's sometimes preferred to use
the email address as the known identifier.
However, when _mixing_ this with sometimes other sources, like htaccess, which
doesn't have a concept of an email address, it can turn difficult.
This change makes the headers _prefer_ to use the Email address, if such exists,
for the Username identifier when passing data to downstream services.
Defaults to Off.
Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add nsswitch.conf to Docker image
Created nsswitch.conf to use locally defined translations before DNS. Copied to /etc/nsswitch.conf in the image.
* Add new line
* Updated Changelog
Co-authored-by: Dan Bond <danbond@protonmail.com>
* OIDC Token Refresh works without id_tokens
Addresses https://github.com/pusher/oauth2_proxy/issues/318
Refactoring the OIDC provider so that the refresh process works when there are
no id_tokens present in the response. Added unit tests to the oidc_test.go to prove
the redeem and refresh still work.
The expiry time of the session is now taken from the outh token expiry and not
the id_token (preventing stale access_tokens in sessions).
* Refactoring the to use a KeySetStub in the oidc_test.go. This allows the
elimination of the slightly contrived function passing elements used
previously. (This change is being applied to address the bug #318)
* Changes as per the PR comments and preparing for 5.x release
* Fixup changelog
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Extend the redis session store to support redis cluster
* rename function newRedisClient to newRedisCmdable
* update docs about redis cluster as session store
* update autocomplete script with redis cluster options
* add check about conflict between option redis-use-sentinel and redis-use-cluster
* update change log
* Update docs/configuration/sessions.md
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/sessions/redis/redis_store.go
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* add the dropped option back
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix login page fragment handling after soft reload on Firefox.
* Add comments.
* Move changelog entry to correct place.
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Felix Fontein <felix@fontein.de>
* Added userinfo endpoint
* Added documentation for the userinfo endpoint
* Update oauthproxy.go
Co-Authored-By: Dan Bond <pm@danbond.io>
* Suggested fixes : Streaming json to rw , header set after error check
* Update oauthproxy.go
Co-Authored-By: Dan Bond <pm@danbond.io>
* fix session.Email
* Ported tests and updated changelog
* Added version check for bash version gteq 4
* Added entry to CHANGELOG for bash 4.0 configure script dependency
* Corrected changelog entry to right format
* Fixed link in changelog entry
* Remove uneeded new line.
* worked on wrapping errors in requests.go, added defer statements
* removed .idea (generated by goland)
* added another require.NoError
* Update pkg/requests/requests.go
Co-Authored-By: Dan Bond <pm@danbond.io>
* fixed out-of-order imports
* changelog entry added
* swapped error definitions to use fmt.Errorf rather than Wrap()
* formatting changes, added new defers to requests_test.go
* suppot for go1.12 pipeline removed from travis pipeline, .idea/ added to gitignore
* Reorder changelog entry
Add a new provider for Bitbucket,
can be configured from the options
specifying team and/or repository
that the user must be part/have access
to in order to grant login.
alone
Previously some headers that are normally set by the proxy (and may be
replied upstream for authorization decisiions) were not being set
depending on values in the users sesssion.
This change ensure that if a given header is sometimes set, it will
always be either set or removed.
It might be worth considerating always deleting these headers if we
didn't add them.
* New flag "-ssl-upstream-insecure-skip-validation" to skip SSL validation for upstreams with self generated / invalid SSL certificates.
* Fix tests for modified NewReverseProxy method.
* Added change to the changelog.
* Remove duplicate entries from changelog.
* Initial version of OIDC based GitLab provider
* Add support for email domain check to GitLab provider
* Add gitlab.com as default issuer for GitLab provider
* Update documentation for GitLab provider
* Update unit tests for new GitLab provider implementation
* Update CHANGELOG for GitLab provider
* Rename GitLab test access token as response to linter
* Check Google group membership with hasMember and get.
This PR is an enhancement built on
https://github.com/pusher/oauth2_proxy/pull/160. That PR reduces the
number of calls to the Google Admin API and simplifies the code by
using the hasMember method. It also supports checking membership in
nested groups.
However, the above message doesn't handle members who are not a part
of the domain. The hasMember API returns a 400 for that case. As a
fallback, when the API returns a 400, this change will try using the
`get` API which works as expected for members who aren't a part of the
domain. Supporting members who belong to the Google group but aren't
part of the domain is a requested feature from
https://github.com/pusher/oauth2_proxy/issues/95.
https://developers.google.com/admin-sdk/directory/v1/reference/members/get
Note that nested members who are not a part of the domain will not be
correctly detected with this change.
* Update CHANGELOG.
* Fix incorrect JSON and stop escaping strings.
* Add comments for each scenario.
Add ability to silence logging of requests to /ping endpoint, reducing
log clutter
Pros:
- Don't have to change all handlers to set/not set silent ping logging
- Don't have to duplicate `loggingHandler` (this could be preferable yet)
Cons:
- Leaking oauth2proxy logic into `package logger`
- Defining default pingPath in two locations
Alternative:
- Add generic exclude path to `logger.go` and pass in `/ping`.
This will let Docker cache the results of the vendor dependencies.
Making re-builds during testing faster.
Also clean-up spurious test & rm in ./configure
Fix an unsupported protocol scheme error when validating tokens by
ensuring that the ValidateURL generates a non-empty string. The Azure
provider doesn't define any ValidateURL and therefore uses the default
value of `url.Parse("")` which is not `nil`.
The following log summary shows the issue:
2019/06/14 12:26:04 oauthproxy.go:799: 10.244.1.3:34112 ("10.244.1.1") refreshing 16h26m29s old session cookie for Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true} (refresh after 1h0m0s)
2019/06/14 12:26:04 internal_util.go:60: GET ?access_token=eyJ0...
2019/06/14 12:26:04 internal_util.go:61: token validation request failed: Get ?access_token=eyJ0...: unsupported protocol scheme ""
2019/06/14 12:26:04 oauthproxy.go:822: 10.244.1.3:34112 ("10.244.1.1") removing session. error validating Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true}
Use simple USER directive.
Using `addgroup` in final `arm` image when building on amd64 doesn't work.
I must have made a mistake during cross build verification.
Alternative is to use qemu-static but it's not worth it for this.
* Use encoding/json for SessionState serialization
In order to make it easier to extend in future.
* Store only email and user in cookie when cipher is unavailable
This improves safety and robustness, and also preserves the existing
behaviour.
* Add TestEncodeSessionState/TestDecodeSessionState
Use the test vectors with JSON encoding just introduced.
* Support session state encoding in older versions
* Add test cases for legacy session state strings
* Add check for wrong expiration time in session state strings
* Avoid exposing time.Time zero value when encoding session state string
* Update CHANGELOG.md
* first stab at login.gov provider
* fixing bugs now that I think I understand things better
* fixing up dependencies
* remove some debug stuff
* Fixing all dependencies to point at my fork
* forgot to hit save on the github rehome here
* adding options for setting keys and so on, use JWT workflow instead of PKCE
* forgot comma
* was too aggressive with search/replace
* need JWTKey to be byte array
* removed custom refresh stuff
* do our own custom jwt claim and store it in the normal session store
* golang json types are strange
* I have much to learn about golang
* fix time and signing key
* add http lib
* fixed claims up since we don't need custom claims
* add libs
* forgot ioutil
* forgot ioutil
* moved back to pusher location
* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov
* update dependencies
* do JWTs properly
* finished oidc flow, fixed up tests to work better
* updated comments, added test that we set expiresOn properly
* got confused with header and post vs get
* clean up debug and test dir
* add login.gov to README, remove references to my repo
* forgot to remove un-needed code
* can use sample_key* instead of generating your own
* updated changelog
* apparently golint wants comments like this
* linter wants non-standard libs in a separate grouping
* Update options.go
Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>
* Update options.go
Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>
* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback
* github doesn't seem to do gofmt when merging. :-)
* update CODEOWNERS
* check the nonce
* validate the JWT fully
* forgot to add pubjwk-url to README
* unexport the struct
* fix up the err masking that travis found
* update nonce comment by request of @JoelSpeed
* argh. Thought I'd formatted the merge properly, but apparently not.
* fixed test to not fail if the query time was greater than zero
* fixes deletion of splitted cookies
* three minor adjustments to improve the tests
* changed cookie name matching to regex
* Update oauthproxy.go
Co-Authored-By: einfachchr <einfachchr@gmail.com>
* removed unused variable
* Changelog
* Added conditional to prevent user-supplied redirect URL getting
clobbered
Change-type: patch
* use redirectURL as OAuthCallbackURL (as it should be!)
Change-type: patch
Run as non-root user and group
In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.
Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.
Least access privileges.
Close: https://github.com/pusher/oauth2_proxy/issues/78
Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000 25192 6.0 0.0 0 0 ? Ds 15:53 0:00 [oauth2_proxy]
```
Running in Kubernetes 1.13 with the following also specified:
```
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID USER TIME COMMAND
1 10001 0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
11 10001 0:00 sh
17 10001 0:00 ps aux
```
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
* Access token forwarding through nginx auth request
Related to #420.
(cherry picked from commit b138872bea)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>
* Improved documentation for auth request token
(cherry picked from commit 6fab314f72)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>
* Update README.md
Example should set header as `X-Access-Token`
Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>
* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68
* Fix Changelog message location
