1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-30 09:16:52 +02:00
Commit Graph

315 Commits

Author SHA1 Message Date
Jacob Middag
3045392c17
feat: Replace default Go user-agent with oauth2-proxy and version (#2570)
* feat: Replace default Go user-agent with oauth2-proxy and version

* Add to CHANGELOG

* Make userAgentTransport configurable and composable

* Use correct naming convention for DefaultHTTPClient

* Move version to own package and use named arguments

* Update version path in Makefile

* Fix import path in Makefile

* Change importpath in dist.sh

* Minor style issues
2024-07-14 21:09:17 +01:00
kvanzuijlen
f8efdbae5f
chore: Updated go-jwt to v5 2024-03-04 01:42:00 +01:00
Damien Degois
e7d20519df
Session aware logout, backend logout url approach (#1876)
* Session aware logout, backend logout url approach

* Add CHANGELOG.md and documentation for #1876

* Proper http handling and case change for golint compliance

* Update alpha_config.md

* Fix case conformity

* Change placeholder from ${id_token} to {id_token}

As this should be specified in a URL and curly braces should be escaped as %7b and %7d, therefore using {} shouldn't be an issue

* Apply suggestions from code review

Co-authored-by: Jan Larwig <jan@larwig.com>

* Add other suggestions

* Add suggestions and move background logout to generic provider

* Changelog updated

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Add comment for gosec, remove sensitive data from log

---------

Co-authored-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2024-01-26 12:48:09 +00:00
charvadzo
ee3e9b8841
Log error details when failed loading CSRF cookie (#2345)
* Log error details when failed loading CSRF cookie

* Add a record about this PR to CHANGELOG.md

---------

Co-authored-by: Ondrej Charvat <ondrej.charvat@yunextraffic.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2024-01-20 19:27:23 +00:00
Jan Brezina
bc022fbfd1
Add possibility to encode the state param as UrlEncodedBase64 (#2312)
* Add possibility to encode the state param as UrlEncodedBase64

* Update CHANGELOG.md

* Update oauthproxy.go

Co-authored-by: Jan Larwig <jan@larwig.com>

---------

Co-authored-by: Jan Larwig <jan@larwig.com>
2024-01-20 19:08:30 +00:00
Tim White
551b6c9056
Support http.AllowQuerySemicolons (#2248)
* Support http.AllowQuerySemicolons

* Docs

* Make it clear we are overriding the handler

* Update documentation for allow-query-semicolons

* Fix changelog format

* Fix formatting

---------

Co-authored-by: MickMake <github@mickmake.com>
2023-11-20 09:36:03 +00:00
axel7083
601477a52c
Feature: Allowing relative redirect url though an option (#2183)
* Adding relative redirect url option

* Updating CHANGELOG.md

* tests: adding unit test for getOAuthRedirectURI

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-10-25 10:25:01 +01:00
Cory Bolar
a02ab7c04e Embed static stylesheets and dependencies
Embedding css and webfont dependencies allows the application to present
itself correctly in an environment that does not allow downloading the
files from a cdn.

Inspiration taken from #1492 but reworked to make use of embed.FS
simplifying the approach.
2023-08-24 20:50:17 -04:00
Marius Zander
7529095e1a
fix: use X-Forwarded-Uri if it exists for pathRegex match
the functions `isApiPath` and `isAllowedPath` use the `req.URL.Path` property which leads to faulty behavior when behind a reverse proxy. The correct path can be inferred from the `X-Forwarded-Uri` header by making use of the already provided `requestutil.GetRequestURI` function.

Co-authored-by: Jan Wystub <jan@bam-bam-bam.com>
2023-08-23 15:15:50 +02:00
Ronald Petty
8c60b64cf4
Update oauthproxy.go (#2189)
Minor - spelling typos in comment
2023-08-22 17:25:30 +01:00
Ole-Martin Bratteng
5d60177d3e
Log the difference between invalid email and not authorized session (#2010)
* Log the difference between invalid email and not authorized session

* Add changelog entry

* Remove superfluous argument

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-03-05 18:28:56 +00:00
Ho Kim
2faa91eb74
Fix a typo in oauthproxy.go (#2021) 2023-02-20 10:21:59 +00:00
Kobi Meirson
f753ec1ca5
feat: readiness check (#1839)
* feat: readiness check

* fix: no need for query param

* docs: add a note

* chore: move the readyness check to its own endpoint

* docs(cr): add godoc

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-12-23 09:08:12 +00:00
Braunson M
f4f5b7756c Fix PKCE code verifier generation to never use UTF-8 characters
- This could result in intermittent/random failures of PKCE enabled IdP's
2022-11-18 20:37:14 -05:00
Segfault16
965fab422d
Add API route config (#1760)
* Add API route config

In addition to requests with Accept header `application/json` return 401 instead of 302 to login page on requests matching API paths regex.

* Update changelog

* Refactor

* Remove unnecessary comment

* Reorder checks

* Lint Api -> API

Co-authored-by: Sebastian Halder <sebastian.halder@boehringer-ingelheim.com>
2022-09-11 16:09:32 +01:00
Ian Serpa
f53754808b Support negating for skip auth routes 2022-09-02 22:23:29 +02:00
Alexandru Ciobanu
037cb041d3
Watch the htpasswd file for changes and update the htpasswdMap (#1701)
* dynamically update the htpasswdMap based on the changes made to the htpasswd file

* added tests to validate that htpasswdMap is updated after the htpasswd file is changed

* refactored `htpasswd` and `watcher` to lower cognitive complexity

* returned errors and refactored tests

* added `CHANGELOG.md` entry for #1701 and fixed the codeclimate issue

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Fix lint issue from code suggestion

* Wrap htpasswd load and watch errors with context

* add the htpasswd wrapped error context to the test

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-09-01 19:46:00 +01:00
Alexandru Ciobanu
cbda3cf618 implement an error alert message for invalid basic auth credentials 2022-06-30 18:10:02 +03:00
Nik Skoufis
743c344fdc
Change error type for redirect parsing errors (#1649)
* Change error type for redirect parsing errors

This changes the error type returned when the proxy fails to parse the
redirect target to be a 400 error instead of a 500 error.

As far as I can tell, the only way that this can fail is a failure to
parse the properties of the request to identity the redirect target.
This indicates that the user has sent a malformed request, and so should
result in a 400 rather than a 500.

I've added a test to exercise this, based on a real work example.

* Update changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-05-20 14:26:21 +01:00
zv0n
b794248176
Add allowed_emails option to the auth endpoint query string (#1595)
* Add allowed_emails option to the auth endpoint query string

* Don't return true from checkAllowedEmailsOrDomains only because domains field was empty

* Fix checkAllowedEmailsOrDomains logic

* Added tests for allowed_emails query parameter

* Updated CHANGELOG

* Remove checkAllowedEmailsOrDomains

Co-authored-by: Nick Meves <nicholas.meves@gmail.com>
2022-04-23 18:11:38 -07:00
Braunson
ce750e9b30
PKCE Support (#1541)
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.

Signed-off-by: Valentin Pichard <github@w3st.fr>

* Fix provider data initialisation

* PKCE Support

Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.

- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them

Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server.  Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2

oauth2-proxy will always use S256 unless the user explicitly forces `plain`.

Fixes #1361

* Address PR comments by moving pkce generation

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Encrypt CodeVerifier in CSRF Token instead of Session

- Update Dex for PKCE support
- Expose HTTPBin for further use cases

* Correct the tests

* Move code challenges into extra params

* Correct typo in code challenge method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Correct the extra space in docs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address changelog and new line nits

* Add generated docs

Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
2022-03-13 10:08:33 +00:00
Ian Roberts
63727103db Support for passing through URL query parameters from /oauth2/start to the ID provider's login URL.
You must explicitly configure oauth2-proxy (alpha config only) with which parameters are allowed to pass through, and optionally provide an allow-list of valid values and/or regular expressions for each one.  Note that this mechanism subsumes the functionality of the "prompt", "approval_prompt" and "acr_values" legacy configuration options, which must be converted to the equivalent YAML when running in alpha config mode.
2022-02-19 16:11:09 +00:00
Joel Speed
263a5df820
Merge pull request #1286 from instadeepai/allowed_email_domains-on-auth_request-endpoint
Add allowed_email_domains on auth_request endpoint
2022-02-17 17:10:43 +00:00
Joel Speed
0791aef8cc
Integrate new provider constructor in main 2022-02-16 10:38:07 +00:00
Valentin Pichard
2b4c8a9846 Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.
Signed-off-by: Valentin Pichard <github@w3st.fr>
2022-02-14 18:03:20 +01:00
Andy Thompson
c1b01b5bc0 Fix issue with query string allowed group panic on skip methods 2022-02-10 12:39:32 +00:00
Stephan Aßmus
2c668a52d4
Let authentication fail when session validation fails (fixes #1396) (#1433)
* Error page for session validation failure

* Fix existing tests

* Add test-case for session validation failure

* Simplify test

* Add changelog entry for PR

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-11-12 18:36:29 +00:00
Joel Speed
d8deaa124b
Improve error message when no cookie is found 2021-10-13 19:08:11 +01:00
Luka Zakrajšek
d3e036d619 Add force-json-errors flag 2021-10-05 11:24:47 +02:00
Jan Rotter
81cfd24962 Store the group membership in the session
This change puts the groups from the htpasswd-user-group in the
session during the manual sign in process. This fixes the issue
with being unable to properly authenticate using the manual
sign in form when certain group membership is required (e.g. when
the --gitlab-group option is used).
2021-09-26 23:07:10 +02:00
Fabian Stelzer
ae72beb24e
Enable UseEncodedPath() for frontend mux
This allows urls with encoded characters (e.g.: /%2F/) to pass to the
upstream mux instead of triggering a HTTP 301 from the frontend.
Otherwise a /%2F/test/ will result in a HTTP 301 -> /test/
2021-09-17 12:31:18 +00:00
Nick Meves
593125152d Standarize provider refresh implemention & logging 2021-06-22 17:04:30 -07:00
Nick Meves
7fa6d2d024 Manage session time fields centrally 2021-06-21 21:54:52 -07:00
Nick Meves
7e80e5596b RefreshSessions immediately when called 2021-06-21 21:54:52 -07:00
Joel Speed
273ab1f591
Integrate redirect package with OAuth2 Proxy 2021-06-19 11:24:27 +01:00
Joel Speed
a8c9b2903d
Use gorilla mux for OAuth Proxy routing 2021-06-19 11:17:16 +01:00
Joel Speed
befcdd9d04
Add pagewriter to upstream proxy 2021-05-10 11:14:05 +01:00
Nick Meves
7eeaea0b3f
Support nonce checks in OIDC Provider (#967)
* Set and verify a nonce with OIDC

* Create a CSRF object to manage nonces & cookies

* Add missing generic cookie unit tests

* Add config flag to control OIDC SkipNonce

* Send hashed nonces in authentication requests

* Encrypt the CSRF cookie

* Add clarity to naming & add more helper methods

* Make CSRF an interface and keep underlying nonces private

* Add ReverseProxy scope to cookie tests

* Align to new 1.16 SameSite cookie default

* Perform SecretBytes conversion on CSRF cookie crypto

* Make state encoding signatures consistent

* Mock time in CSRF struct via Clock

* Improve InsecureSkipNonce docstring
2021-04-21 10:33:27 +01:00
yanasega
42475c28f7
Multiple providers in alpha config (#947)
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* fixed typo

* removed weird : file

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* auto generates alpha_config.md

* rebase (mainly service alpha options related conflicts)

* removed :

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* "cntd. rebase"

* ran make generate again

* last conflicts

* removed duplicate client id validation

* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0

* fixed TestGoogleGroupOptions test

* ran make generate

* moved CHANGLOG line to 7.1.1

* moved changelog comment to 7.1.2 (additional rebase)

Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2021-04-03 17:06:30 +01:00
Joel Speed
c0654e3d9f
Remove unused fields from OAuthProxy 2021-03-29 18:26:48 +01:00
Joel Speed
17009d8363
Metrics server should be constructed with secure bind address for TLS 2021-03-26 09:58:39 +00:00
Joel Speed
64f0a9f580
Reinstate preferEmailToUser behaviour for basic auth sessions 2021-03-22 13:13:26 +00:00
Joel Speed
2e5b229637
Deprecate GCP HealthCheck option 2021-03-21 20:05:13 +00:00
Joel Speed
f3bd61b371
Use pagewriter to render robots txt page 2021-03-21 18:34:42 +00:00
Nick Meves
c1267bb92d
Request ID Logging (#1087)
* Add RequestID to the RequestScope

* Expose RequestID to auth & request loggers

* Use the RequestID in templated HTML pages

* Allow customizing the RequestID header

* Document new Request ID support

* Add more cases to scope/requestID tests

* Split Get vs Generate RequestID funtionality

* Add {{.RequestID}} to the request logger tests

* Move RequestID management to RequestScope

* Use HTML escape instead of sanitization for Request ID rendering
2021-03-21 18:20:57 +00:00
Joel Speed
9dbd5f5afd
Ensure redirect URI always has a scheme 2021-03-14 10:16:29 +00:00
Joel Speed
8d2fc409d8
Integrate new server implementation into main OAuth2 Proxy 2021-03-07 11:49:11 +00:00
Nick Meves
602dac7852
Move Logging to Middleware Package (#1070)
* Use a specialized ResponseWriter in middleware

* Track User & Upstream in RequestScope

* Wrap responses in our custom ResponseWriter

* Add tests for logging middleware

* Inject upstream metadata into request scope

* Use custom ResponseWriter only in logging middleware

* Assume RequestScope is never nil
2021-03-06 17:27:16 +00:00
Stefan Sedich
220b3708fc
Add support for setting groups on session when using basic auth (#1064)
* Add support for setting groups on session when using basic auth

* Refactoring based on feedback

* Attribution
2021-02-25 13:02:23 -08:00
Joel Speed
23e545a639
Add option for custom logos on the sign in page 2021-02-19 13:23:55 +00:00