1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-28 09:08:44 +02:00
Commit Graph

209 Commits

Author SHA1 Message Date
Nick Meves
ff914d7e17 Use ErrNotImplemented in default refresh implementation 2021-06-22 17:04:42 -07:00
Nick Meves
593125152d Standarize provider refresh implemention & logging 2021-06-22 17:04:30 -07:00
Nick Meves
7fa6d2d024 Manage session time fields centrally 2021-06-21 21:54:52 -07:00
Nick Meves
7e80e5596b RefreshSessions immediately when called 2021-06-21 21:54:52 -07:00
Sami Racho
a14c0c2121 Added ADFS Provider 2021-06-13 10:19:56 +02:00
Nick Meves
7eeaea0b3f
Support nonce checks in OIDC Provider (#967)
* Set and verify a nonce with OIDC

* Create a CSRF object to manage nonces & cookies

* Add missing generic cookie unit tests

* Add config flag to control OIDC SkipNonce

* Send hashed nonces in authentication requests

* Encrypt the CSRF cookie

* Add clarity to naming & add more helper methods

* Make CSRF an interface and keep underlying nonces private

* Add ReverseProxy scope to cookie tests

* Align to new 1.16 SameSite cookie default

* Perform SecretBytes conversion on CSRF cookie crypto

* Make state encoding signatures consistent

* Mock time in CSRF struct via Clock

* Improve InsecureSkipNonce docstring
2021-04-21 10:33:27 +01:00
Nick Meves
05c3fa7601
Fix GitLab CVE test case 2021-03-25 10:29:17 -07:00
Nick Meves
0279fa7dff
Merge pull request from GHSA-652x-m2gr-hppm
* Populate session Groups from userinfo response

* Fix: gitlab tests

Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
2021-03-25 17:20:45 +00:00
Piers Harding
73d9f3809e
Panic with GitLab project repository auth (#1113)
* panic with GitLab project repository auth

* /api/v4/projects/:id can return nil permissions

Signed-off-by: Piers Harding <piers@ompka.net>

* Add GitLab test for group no access

Signed-off-by: Piers Harding <piers@ompka.net>
2021-03-25 08:48:20 -07:00
Weinong Wang
f3209a40e1
extract email from id_token for azure provider (#914)
* extract email from id_token for azure provider

this change fixes a bug when --resource is specified with non-Graph
api and the access token destined to --resource is used to call Graph
api

* fixed typo

* refactor GetEmailAddress to EnrichSessionState

* make getting email from idtoken best effort and fall back to previous behavior when it's absent

* refactor to use jwt package to extract claims

* fix lint

* refactor unit tests to use test table
refactor the get email logic from profile api

* addressing feedback

* added oidc verifier to azure provider and extract email from id_token if present

* fix lint and codeclimate

* refactor to use oidc verifier to verify id_token if oidc is configured

* fixed UT

* addressed comments

* minor refactor

* addressed feedback

* extract email from id_token first and fallback to access token

* fallback to access token as well when id_token doesn't have email claim

* address feedbacks

* updated change log!
2021-03-09 20:53:15 -08:00
Joel Speed
9cea4ea89b
Update golangci-lint version in CI workflow 2021-02-17 20:25:37 +00:00
Joel Speed
b6cca79cb9
Ensure errors in tests are logged to the GinkgoWriter 2021-02-10 19:50:04 +00:00
Kevin Kreitner
57640764c0
Use logger for sensitive data logging to be able to disable it (#1002)
* Add sensible logging flag to default setup for logger

* Use logger instead of fmt for info logging with sensible data

* Remove sensible logging flag

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-01-20 19:56:13 +00:00
Nick Meves
4b28e6886c
Handle ValidateURL fallback for nil & empty struct cases 2020-12-24 14:04:20 -08:00
Nick Meves
816d9a4566
Use a generic http.HandlerFunc in Keycloak tests 2020-12-24 14:04:19 -08:00
Nick Meves
f07a5630f1
Update Keycloak documentation 2020-12-24 14:04:19 -08:00
Nick Meves
138a6b128a
Use ProfileURL for userinfo EnrichSession calls in Keycloak 2020-12-24 14:04:19 -08:00
Nick Meves
0886f8035c
Move all Keycloak unit tests to Ginkgo 2020-12-24 14:04:19 -08:00
Nick Meves
3369799853
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-24 14:04:19 -08:00
Nick Meves
d2ffef2c7e
Use global OIDC fields for Gitlab 2020-12-21 16:54:12 -08:00
Nick Meves
42f6cef7d6
Improve OIDC error handling 2020-12-21 16:53:05 -08:00
Nick Meves
ea5b8cc21f
Support non-list and complex groups 2020-12-21 16:52:18 -08:00
Nick Meves
eb56f24d6d
Deprecate UserIDClaim in config and docs 2020-12-21 16:52:17 -08:00
Nick Meves
74ac4274c6
Move generic OIDC functionality to be available to all providers 2020-12-21 16:52:04 -08:00
Nick Meves
a1877434b2
Refactor OIDC to EnrichSession 2020-12-21 16:51:52 -08:00
Mathieu Lecarme
d67d6e3152
Add authorization support for Gitlab projects (#630)
* Add support for gitlab projets

* Add group membership in state

* Use prefixed allowed groups everywhere

* Fix: remove unused function

* Fix: rename func that add data to session

* Simplify projects and groups session funcs

* Add project access level for gitlab projects

* Fix: default access level

* Add per project access level

* Add user email when missing access level

* Fix: harmonize errors

* Update docs and flags description for gitlab project

* Add test with both projects and groups

* Fix: log error message

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Fix: make doc a markdown link

* Add notes about read_api scope for projects

* Fix: Verifier override in Gitlab Provider

This commit fixes a bug caused by an override of the Verifier value from *ProviderData inside GitlabProvider struct

* Fix: ensure data in session before using it

* Update providers/gitlab.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Rename gitlab project initializer

* Improve return value readbility

* Use splitN

* Handle space delimiters in set project scope

* Reword comment for AddProjects

* Fix: typo

* Rework error handling in addProjectsToSession

* Reduce branching complexity in addProjectsToSession

* Fix: line returns

* Better comment for addProjectsToSession

* Fix: enrich session comment

* Fix: email domains is handled before provider mechanism

* Add archived project unit test

* Fix: emails handling in gitlab provider

Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2020-12-05 10:57:33 -08:00
Nick Meves
26ed080bed
Cleanup method name refactors missed in comments 2020-11-29 14:18:14 -08:00
Nick Meves
57a8ef06b4
Fix method renaming in comments and tests 2020-11-28 10:25:12 -08:00
Nick Meves
22f60e9b63
Generalize and extend default CreateSessionFromToken 2020-11-28 10:25:12 -08:00
Nick Meves
3e9717d489
Decouple TokenToSession from OIDC & add a generic VerifyFunc 2020-11-28 10:25:11 -08:00
Nick Meves
e9f787957e
Standardize provider interface method names 2020-11-28 10:25:11 -08:00
Nick Meves
d7fa979060
Note legacy areas to refactor away from groupValidator 2020-11-12 11:18:59 -08:00
Nick Meves
f21b3b8b20
Authorize in Redeem callback flow 2020-11-12 11:18:59 -08:00
Nick Meves
1b3b00443a
Streamline ErrMissingCode in provider Redeem methods 2020-11-12 11:18:59 -08:00
Nick Meves
b92fd4b0bb
Streamline Google to use default Authorize 2020-11-12 11:18:58 -08:00
Nick Meves
eb58ea2ed9
Move AllowedGroups to DefaultProvider for default Authorize usage 2020-11-12 11:18:15 -08:00
Nick Meves
e7ac793044
Replace ValidateGroup with Authorize for Provider 2020-11-12 11:17:06 -08:00
Arcadiy Ivanov
45ae87e4b7
Logs provider name on startup
If invalid provider is specified, stop and error out

fixes #895
2020-11-12 10:39:35 -05:00
Alexander Block
0e119d7c84
Azure token refresh (#754)
* Implement azure token refresh

Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278

* Update CHANGELOG.md

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Set CreatedAt to Now() on token refresh

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-04 11:25:59 -08:00
Kevin Kreitner
65016c8da1
Enable custom structure for group claim with default name group (#839)
* Allow complex structure for groups in group claim.

* Remove unused constant

* Update variable name

* Fix linting

* Use helper method

* Log error if not possible to append group value

* Add missing import

* Use own logger

* Fix imports

* Remove Dockerfile for testing

* Add Changelog entry

* Use formatGroup helper method and update tests

* Return string instead of string array

* Remove groups variable

* Return error in format method.

* Reorder imports

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2020-11-03 10:10:08 -08:00
Nick Meves
4a54c9421c
Remove EmailDomain verification from GitLab provider
This is handled globally
2020-10-20 10:01:53 -07:00
Nick Meves
d9c141ae7c
Remove GetUserName method from Provider 2020-10-19 14:09:46 -07:00
Nick Meves
0da45e97e1
Refactor GitLab to EnrichSessionState 2020-10-19 14:09:45 -07:00
Nick Meves
e51f5fe7c9
Refactor GitHub to EnrichSessionState 2020-10-19 14:09:45 -07:00
Nick Meves
2b9e1bbba0
Add EnrichSessionState as main post-Redeem session updater 2020-10-19 14:09:45 -07:00
Nick Meves
0bd8eb3191
Setup provider.ErrNotImplemented sentinel error 2020-10-19 14:09:02 -07:00
Mitsuo Heijo
3fa42edb73
Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
Alexander Block
74918c40d8 Refactor makeLoginURL to accept extraParams
And don't require the caller to know how to use the returned params.
2020-09-28 12:15:06 +02:00
Alexander Block
4eb9612679 Move DefaultGetLoginURL into util.go 2020-09-28 12:15:06 +02:00
Alexander Block
9a64e67d5b De-duplicate code in GetLoginURL of in logingov provider
Also add unit test to ensure logingov specific logic is applied.
2020-09-28 12:15:06 +02:00