1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-30 09:16:52 +02:00
Commit Graph

488 Commits

Author SHA1 Message Date
Koen van Zuijlen
ef95957990
Release v7.5.1 (#2227)
* Update changelog for v7.5.1 release

* Create versioned docs for release v7.5.x
Created using: yarn run docusaurus docs:version 7.5.x

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-09-22 14:29:14 +01:00
Jan Larwig
13af1b4786
fix gitea token validation by allowing custom validation url and extracting the proper base api url for github cloud, github enterprise and gitea (#2194) 2023-09-14 10:09:57 +01:00
tuunit
7683902a42 bugfix: default scopes for OIDCProvider based providers 2023-09-10 20:10:14 +00:00
polarctos
62056a59c2 Update alpine to 3.18
Only pinning minor version to automatically receive patches
2023-09-08 18:22:46 +02:00
Koen van Zuijlen
982ae7e9d2
Added arch types to Docker and binary releases (#2220)
* Added several arm builds to dist.sh

* Added platforms to Dockerfile and updated docs

* Reverted changes made for testing

* Fix docker platform images

* Fix docker platform images

* Update Makefile

Co-authored-by: Jan Larwig <jan@larwig.com>

* Update Makefile

Co-authored-by: Jan Larwig <jan@larwig.com>

* Update Makefile

Co-authored-by: Jan Larwig <jan@larwig.com>

* Formatting improvements

---------

Co-authored-by: Jan Larwig <jan@larwig.com>
2023-09-08 17:18:20 +01:00
Koen van Zuijlen
f3269b3f26
Fixed name for GoogleGroups env variable + unit tests (#2221)
* Fixed name for GoogleGroups env variable + unit tests

* Added changelog

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-09-08 16:27:15 +01:00
Jan Larwig
6f6039c82b bugfix: move oidc scope logic to oidc provider 2023-09-08 05:35:41 +00:00
kvanzuijlen
07591fc93a
Update changelog for v7.5.0 release 2023-09-04 12:28:38 +02:00
Koen van Zuijlen
a6e8ec81e8
Workload identity support (#2126)
* WIP: support for workload identity

* WIP: bugfixes to support WI

* Added support for Workload Identity

* Added missing flag

* Refactoring and typo

* Updated CHANGELOG.md

* Updated docs

* Updated changelog

* Improved readability and fixed codeclimate issues

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Fixed if statement

* Apply suggestions from code review

Co-authored-by: Jan Larwig <jan@larwig.com>

* Cleanup

* Removed target principal

* Removed references to target principal

* Added docs

* Fixed header anchor linking

* Update auth.md

* Updated generated code

* Improved code

* Fixed tests

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Jan Larwig <jan@larwig.com>
2023-09-04 10:34:54 +01:00
Cory Bolar
40ee2bb944 Add changelog entry 2023-08-24 20:50:43 -04:00
Joseph Weigl
bd867b5138
Bugfix/check json path (#1921)
* Validate jsonpath in claim extractor

Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>

* Add test and changelog for claim extractor json path

---------

Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-08-24 13:40:43 +01:00
Jan Wystub
2d22530f8f
docs: add changelog entry 2023-08-23 15:15:50 +02:00
t-katsumura
d107d885e4
Session-Cookie Support (#1713)
* Create session cookie when cookie-expire set 0

* Fix format

* add test

* fix lint error

* fix test code

* fix conflicted test case

* update test case of cookie expiration

* update tests of csrf cookies

* update docs

* Update docs/docs/configuration/overview.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

---------

Co-authored-by: tanuki884 <morkazuk@fsi.co.jp>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-08-16 12:23:02 +01:00
Nuno Miguel Micaelo Borges
6f11e60c0a
Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS (#2047)
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

---------

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
2023-04-07 12:33:42 +01:00
Amr Hanafi
dd4fa414ea
Update golang.org/x/net to v0.7.0 ato address GHSA-vvpx-j8f3-3w6h (#2028)
* Update golang.org/x/net to v0.7.0 ato address GHSA-vvpx-j8f3-3w6h

Addresses https://github.com/advisories/GHSA-vvpx-j8f3-3w6h

Signed-off-by: Amr Hanafi (MAHDI)) <amrh@microsoft.com>

* Update CHANGELOG

---------

Signed-off-by: Amr Hanafi (MAHDI)) <amrh@microsoft.com>
2023-03-07 10:42:12 +00:00
Ole-Martin Bratteng
5d60177d3e
Log the difference between invalid email and not authorized session (#2010)
* Log the difference between invalid email and not authorized session

* Add changelog entry

* Remove superfluous argument

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-03-05 18:28:56 +00:00
Cory Bolar
1bb3fbcea6
Ensure sign-in page background is uniform throughout the page (#1988)
* Ensure sign-in page background is uniform throughout the page

Configured banners that take up large amounts of space leave a gap of blank
background between where the body ends and the footer starts.  Fix this by
setting the style for the section containing the banner to match the body and
footer

* Add changelog entry

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-03-05 17:24:35 +00:00
Nuno Miguel Micaelo Borges
e079c60dfe
Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is wri… (#2013)
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Fixes CVE-2022-41721 (#1994)

See: https://avd.aquasec.com/nvd/2022/cve-2022-41717/

* update checkout actions (#1981)

* Fix a typo in oauthproxy.go (#2021)

* fix typo (#2001)

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

---------

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Jeroen Landheer <jlandheer@bintelligence.nl>
Co-authored-by: Ryuichi Watanabe <ryucrosskey@gmail.com>
Co-authored-by: Ho Kim <ho.kim@ulagbulag.io>
Co-authored-by: Terrell Russell <terrellrussell@gmail.com>
2023-03-05 17:12:55 +00:00
Nuno Miguel Micaelo Borges
cbc973c8d9
Issue 1878: Validate URL call does not correctly honor already set UR… (#1951)
* Issue 1878: Validate URL call does not correctly honor already set URL parameters

* Issue 1878: Validate URL call does not correctly honor already set URL parameters

* Update CHANGELOG.md

---------

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-02-10 18:36:13 +00:00
Marc Schiereck
5577cf0151 add changelog entry 2023-02-03 14:35:33 +00:00
Kobi Meirson
f753ec1ca5
feat: readiness check (#1839)
* feat: readiness check

* fix: no need for query param

* docs: add a note

* chore: move the readyness check to its own endpoint

* docs(cr): add godoc

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-12-23 09:08:12 +00:00
Jan Larwig
8b77c97009
Fix default scope settings for none oidc providers like GitHub (#1927)
* fix default scope settings for none oidc providers

* add changelog for bugfix

* fix scope test cases by producing and accessing correct result value
2022-12-23 09:00:57 +00:00
Braunson M
f4f5b7756c Fix PKCE code verifier generation to never use UTF-8 characters
- This could result in intermittent/random failures of PKCE enabled IdP's
2022-11-18 20:37:14 -05:00
Damien Degois
fd2807c091
Fix uninitialized user claim (#1873)
* Fix uninitialized user claim

Some providers doesn't initialize data with setProviderDefaults function
(keycloak-oidc for example), therefore UserClaim is never initialized
with the default value and stay as an empty string.
This result in an empty user.

* Add CHANGELOG.md entry for #1873

* Call setProviderDefaults where missing

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-11-07 08:42:33 +00:00
Braunson M
92b2231c6f Set correct platform type for arm v8 docker images
- A previous attempt used the wrong platform value which resulted in a build without the v8 variant being
created.
- Platform formatting is defined in the containerd source code as referenced by the docker documentation:
https://github.com/containerd/containerd/blob/v1.4.3/platforms/platforms.go#L63

Fixes #1593 - again
2022-11-03 21:28:05 -04:00
Damien Degois
86011e8ac7 Protect htpasswd user list from race condition 2022-11-03 15:38:41 +01:00
Joel Speed
2c21b2830d
Update changelog for v7.4.0 release 2022-10-29 13:19:48 +01:00
Joel Speed
d4e3bf4df0
Update changelog 2022-10-29 12:49:54 +01:00
dulakm
95e56e3445
updated release notes regarding azure provider issue (#1771) 2022-10-28 08:32:19 +01:00
Muhammad Arham
1e21a56f99
Update go-redis/redis to v9. (#1847)
* Update go-redis/redis to v9.
- And updated redislock, testify, ginko and gomega have also been updated.
- Renamed the option `IdleTimeout` to `ConnMaxIdleTime` because of 517938a6b0/CHANGELOG.md

* Update CHANGELOG.md

* Dropping dot import of the types since they created aliases now

* fixing some error messages to make tests happy

* updating more error messages that were changed to make tests happy

* reverting error messages

Co-authored-by: Muhammad Arham <marham@i2cinc.com>
2022-10-24 16:41:06 +01:00
Damien Degois
5b5894af07
Keycloak provider - Retain user and prefered_username in session (#1815)
* Keycloak provider - Retain user and prefered_username in session

* Add CHANGELOG for PR #1815
2022-10-24 08:47:59 +01:00
Centzilius
ece3d62d64
set providerDefaults for oidc consistently (#1828)
* set providerDefaults for oidc consistently

* docs: document #1828 in CHANGELOG
2022-10-23 10:48:20 +01:00
Adrian Aneci
2f1fecae39 add changelog entry 2022-10-22 17:17:36 +03:00
Adrian Aneci
a5d918898c Add azure groups support and oauth2 v2.0 2022-10-21 20:23:21 +03:00
Chris Bednarz
6afcae295a
Updated net and text packages to address CVE-2022-27664 and CVE-2022-32149. (#1825)
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-10-15 14:33:44 +01:00
NiteHawk
c395669649
20220802 fix nextcloud (#1750)
* Avoid Nextcloud "Current user is not logged in" (Statuscode 997)

The error message results from oauth2-proxy trying to pass the
access token via URL. Instead it needs to be sent via header,
thus the Nextcloud provider requires a fix similar to what #1502
did before for the keycloak provider.

* Implement EnrichSession() for Nextcloud provider

Parse nested JSON to transform relevant information (groups, id,
email) from the OAuth2 userinfo endpoint into session.

* Update CHANGELOG.md (add link to PR #1750)
2022-10-15 14:25:15 +01:00
Segfault16
965fab422d
Add API route config (#1760)
* Add API route config

In addition to requests with Accept header `application/json` return 401 instead of 302 to login page on requests matching API paths regex.

* Update changelog

* Refactor

* Remove unnecessary comment

* Reorder checks

* Lint Api -> API

Co-authored-by: Sebastian Halder <sebastian.halder@boehringer-ingelheim.com>
2022-09-11 16:09:32 +01:00
tooptoop4
b82593b9cc
Update base docker image to alpine 3.16 (#1788)
* Update Dockerfile

* Update CHANGELOG.md
2022-09-10 11:59:54 +01:00
Ian Serpa
f53754808b Support negating for skip auth routes 2022-09-02 22:23:29 +02:00
Alexandru Ciobanu
037cb041d3
Watch the htpasswd file for changes and update the htpasswdMap (#1701)
* dynamically update the htpasswdMap based on the changes made to the htpasswd file

* added tests to validate that htpasswdMap is updated after the htpasswd file is changed

* refactored `htpasswd` and `watcher` to lower cognitive complexity

* returned errors and refactored tests

* added `CHANGELOG.md` entry for #1701 and fixed the codeclimate issue

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Fix lint issue from code suggestion

* Wrap htpasswd load and watch errors with context

* add the htpasswd wrapped error context to the test

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-09-01 19:46:00 +01:00
Braunson
fcecbeb13c
Inconsistent code-challenge-method CLI flag and config file naming (#1766)
* Inconsistent code-challenge-method CLI flag and config file naming

- Allow previous config option for now to prevent breaking configs

Fixes #1667

* Add changelog entry

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-09-01 10:58:43 +01:00
Chris Bednarz
ebacc2d7e4 Added ability to specify allowed TLS cipher suites. 2022-08-31 17:55:06 -07:00
Nuno Miguel Micaelo Borges
a1ff878fdc
Add flags to define CSRF cookie expiration time and to allow CSRF cookies per request (#1708)
* Add start of state to CSRF cookie name

* Update CHANGELOG.md

* Update CHANGELOG.md

* Support optional flags

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update overview.md

Add new CSRF flags

* Update overview.md

Describe new CSRF flags

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
2022-08-31 23:27:56 +01:00
Felipe B. Conti
ff03c43842
Fix vulnerabilities on crypto, net and sys packages and change go ver… (#1774)
* Fix vulnerabilities on crypto, net and sys packages and change go version on Docker builder stage

* Changelog related PR $1774

Co-authored-by: Felipe Bonvicini Conti <felipe.conti@totvs.com.br>
2022-08-31 21:37:07 +01:00
Dmitry Kartsev
0cfb9c6da0
adding IdleTimeout with the redis-connection-idle-timeout flag, to ke… (#1691)
* adding IdleTimeout with the redis-connection-idle-timeout flag, to keep redis connections in valid state, when Redis  option is set

* docs update - add redis idle timeout configurations

* changelog update for #1691 fix
2022-08-09 21:57:13 +01:00
Chris
6e02bb496b
Extract Keycloak roles while creating a session from token (#1720)
* extract roles while creating session

* add test

* adjust changelog

* remove unused func

* shorten implementation

Co-authored-by: Christian Hirsch <christian.hirsch@nitrado.net>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-08-08 23:28:46 +01:00
t-katsumura
bcadad4c30
Fix method deprecated error in lint (#1699)
* fix method deprecated error in lint

* Fix logic of testing GetCertPool() method

* fix typo

* improve comment

* Fix typo

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-08-08 23:18:29 +01:00
Alexandru Ciobanu
33a3a602bc added CHANGELOG.md entry for #1709 2022-07-13 16:26:30 +03:00
Joel Speed
95e1a4973e
Update CHANGELOG for v7.3.0 release 2022-05-29 15:36:50 +01:00
Joel Speed
d3f428a1a6
Discover signature algorithms from OIDC provider (#1662) 2022-05-29 13:48:09 +01:00