* Add -user-id-claim to support other claims than email
Fix#431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".
- Add the option `user-id-claim` (defaults to email)
- OIDC extracts this claim into session.Email (to be renamed later)
- providers: add `CreateSessionStateFromBearerToken` with a default impl taken from
`GetJwtSession` and overridden by oidc to respect `user-id-claim`
Once #466 is merged, I can continue to rename SessionState.Email to .UserID
and add HTTP headers with a corresponding name.
* Apply suggestions from code review
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Review feedback: Don't extract claims manually
Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.
* Fix indentation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Allow the OIDC issuer verification to be skipped if desired.
* Remove stale warning
* Add CHANGELOG entry
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
Co-authored-by: Dan Bond <pm@danbond.io>
* Allow multiple cookie domains to be specified
* Use X-Forwarded-Host, if it exists, when selecting cookie domain
* Perform cookie domain sorting in config validation phase
* Extract get domain cookies to a single function
* Update pkg/cookies/cookies.go
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Update changelog
Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* feature: switch Azure AD graph API to Microsoft Graph API
* Update CHANGELOG
* Expand Breaking Changes notice
* Update CHANGELOG.md
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* fix: use constant http method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* addint redirect capability to sign_out
* updating changelog
* Add a new param to set the Authorization header to up-stream systems as Basic user:password
* Resolving code review
* mutual exclusiv changes for Basic and Bearer Authorization header
* Fixed the merge mixup and comment error
* Updated changelog and fixed typo
* Adding the new entry in changelog
Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>
* Prevent browser caching during auth flow
* simplify no-cache logic, add tests and update changelog
* checking noCacheHeaders does not exists in response headers from upstream
* remove unnecessary codes
* add no-cache headers in SignInPage and OAuthStart for proxy mode
https://github.com/oauth2-proxy/oauth2-proxy/pull/453#discussion_r405072222
when type asserting fails here, err is reassigned with nil and the
default block of the switch prints out <nil> in the error message. This
makes debugging a configuration or access token issue difficult
The particular error this surfaces is:
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
Signed-off-by: Josh Bielick <jbielick@gmail.com>
* feature: Implement graceful shutdown
Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.
Added handling of Unix signals to http server.
Upgrade go-redis/redis to v7.
* Update dependencies
- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert
* add doc for wrapper interface
* Update CHANGELOG.md
* fix: upgrade fsnotify to v1.4.9
* fix: remove unnessary logging
* fix: wait until all connections have been closed
* refactor: move chan to main for testing
* add assert to check if stop chan is empty
* add an idiomatic for sync.WaitGroup with timeout
