1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-12-10 11:10:27 +02:00
Commit Graph

726 Commits

Author SHA1 Message Date
Joel Speed
bd64aeb7ee
Merge pull request #122 from costelmoraru/expose_cookie_path
Expose -cookie-path as configuration parameter
2019-04-10 13:55:12 +01:00
Costel Moraru
f7c85a4d16 Removing obsolete comment from EncodeSessionState 2019-04-10 15:28:03 +03:00
Costel Moraru
862e75a4e4 Adjusted the cookie path sample in the documentation 2019-04-10 14:50:19 +03:00
Costel Moraru
dc8934ca93 Update documentation, to add the flag to the list of flags 2019-04-10 12:52:50 +03:00
Costel Moraru
f5f64e7d6c Update the changelog 2019-04-10 00:42:17 +03:00
Costel Moraru
071d17b521 Expose -cookie-path as configuration parameter 2019-04-10 00:36:35 +03:00
Costel Moraru
f5a6609b45 Fixing lint error 2019-04-09 15:17:40 +03:00
Costel Moraru
6da6ee7f84 Encrypting user/email from cookie, add changelog 2019-04-09 15:00:17 +03:00
Costel Moraru
4f7517b2f9 Encrypting user/email from cookie 2019-04-09 14:55:33 +03:00
Joel Speed
e9d4f6e0a1
Merge pull request #110 from timothy-spencer/gcphealthcheck
added an option to enable GCP healthcheck endpoints
2019-03-27 11:58:14 +00:00
Joel Speed
da0d4ac50d
Merge pull request #113 from daB0bby/patch-1
fixes typo
2019-03-26 16:00:39 +00:00
timothy-spencer
6bb32c8059
It's not really mine 2019-03-26 08:59:03 -07:00
daB0bby
9660839667
fixes typo in set-authorization-header 2019-03-26 16:49:04 +01:00
timothy-spencer
2679579f44
updated documentation to reflect GKE ingress support too 2019-03-25 11:44:17 -07:00
timothy-spencer
d44f58f0e2
found another edge case to test 2019-03-25 10:47:30 -07:00
timothy-spencer
ff4e5588d8
incorporate suggestions from @benfdking 2019-03-25 10:32:29 -07:00
timothy-spencer
1ff17a3fa1
travis ci tests had a temporary failure, so this is to get it to retest 2019-03-25 10:10:07 -07:00
timothy-spencer
e2755624ec
made gcp healthcheck test better 2019-03-25 10:03:22 -07:00
Tim Spencer
189bda3781
Merge branch 'master' into gcphealthcheck 2019-03-25 09:57:52 -07:00
timothy-spencer
3d22a11658
added better tests for gcp healthcheck stuff 2019-03-25 09:56:56 -07:00
Joel Speed
a38b0dcec2
Merge pull request #112 from gyson/improve-websocket-support
Improve websocket support
2019-03-25 10:27:08 +00:00
gyson
b67614c90f Update CHANGELOG.md 2019-03-22 17:41:55 -04:00
gyson
978c0a33e4 Improve websocket support 2019-03-22 17:19:38 -04:00
timothy-spencer
e9f36fa4b5
added the PR to the changelog 2019-03-20 14:44:01 -07:00
timothy-spencer
2147ae8cfd
added gcp-healthchecks flag in readme, fixed link to logingov-provider 2019-03-20 14:38:06 -07:00
timothy-spencer
3476daf322
added an option to enable GCP healthcheck endpoints 2019-03-20 14:29:44 -07:00
Carlos Alexandro Becker
24f36f27a7
fix: check if it is both primary and verified 2019-03-20 13:52:30 -03:00
Carlos Alexandro Becker
95ee4358b2
Merge remote-tracking branch 'upstream/master' into verified 2019-03-20 13:46:04 -03:00
Joel Speed
ca89bb833d
Merge pull request #108 from pkoenig10/patch-1
Set redirect URL path when host is present
2019-03-20 16:41:09 +00:00
Patrick Koenig
6f9eac5190
Set redirect URL path when host is present 2019-03-20 09:25:04 -07:00
YAEGASHI Takeshi
2070fae47c Use encoding/json for SessionState serialization (#63)
* Use encoding/json for SessionState serialization

In order to make it easier to extend in future.

* Store only email and user in cookie when cipher is unavailable

This improves safety and robustness, and also preserves the existing
behaviour.

* Add TestEncodeSessionState/TestDecodeSessionState

Use the test vectors with JSON encoding just introduced.

* Support session state encoding in older versions

* Add test cases for legacy session state strings

* Add check for wrong expiration time in session state strings

* Avoid exposing time.Time zero value when encoding session state string

* Update CHANGELOG.md
2019-03-20 13:59:24 +00:00
Berjou
a656435d00 Implement Getter interface for StringArray (#104)
This commit fix the issue #98
2019-03-20 13:58:14 +00:00
Tim Spencer
8cc5fbf859 add login.gov provider (#55)
* first stab at login.gov provider

* fixing bugs now that I think I understand things better

* fixing up dependencies

* remove some debug stuff

* Fixing all dependencies to point at my fork

* forgot to hit save on the github rehome here

* adding options for setting keys and so on, use JWT workflow instead of PKCE

* forgot comma

* was too aggressive with search/replace

* need JWTKey to be byte array

* removed custom refresh stuff

* do our own custom jwt claim and store it in the normal session store

* golang json types are strange

* I have much to learn about golang

* fix time and signing key

* add http lib

* fixed claims up since we don't need custom claims

* add libs

* forgot ioutil

* forgot ioutil

* moved back to pusher location

* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov

* update dependencies

* do JWTs properly

* finished oidc flow, fixed up tests to work better

* updated comments, added test that we set expiresOn properly

* got confused with header and post vs get

* clean up debug and test dir

* add login.gov to README, remove references to my repo

* forgot to remove un-needed code

* can use sample_key* instead of generating your own

* updated changelog

* apparently golint wants comments like this

* linter wants non-standard libs in a separate grouping

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback

* github doesn't seem to do gofmt when merging.  :-)

* update CODEOWNERS

* check the nonce

* validate the JWT fully

* forgot to add pubjwk-url to README

* unexport the struct

* fix up the err masking that travis found

* update nonce comment by request of @JoelSpeed

* argh.  Thought I'd formatted the merge properly, but apparently not.

* fixed test to not fail if the query time was greater than zero
2019-03-20 13:44:51 +00:00
einfachchr
f715c9371b Fixes deletion of splitted cookies - Issue #69 (#70)
* fixes deletion of splitted cookies

* three minor adjustments to improve the tests

* changed cookie name matching to regex

* Update oauthproxy.go

Co-Authored-By: einfachchr <einfachchr@gmail.com>

* removed unused variable

* Changelog
2019-03-15 07:18:37 +00:00
Joel Speed
cfd1fd83bd
Merge pull request #101 from pusher/fix-callback-path
Revert OAuthCallbackPath
2019-03-12 17:33:24 +00:00
Joel Speed
e195a74e26
Revert OAuthCallbackPath 2019-03-12 16:46:37 +00:00
Carlos Alexandro Becker
58b8bbe491
fix: changelog 2019-03-11 14:55:02 -03:00
Carlos Alexandro Becker
b49aeb222b
fix: should check if email is verified 2019-03-11 14:52:08 -03:00
Joel Speed
056089bbcc
Merge pull request #92 from butzist/feature/wsproxy
Merge websocket proxy feature from openshift/oauth-proxy
2019-03-11 13:22:20 +00:00
Adam Szalkowski
c7193b4085 Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com> 2019-03-11 14:05:16 +01:00
Joel Speed
21c9d38ada
Merge pull request #57 from aigarius/patch-1
Fall back to using OIDC Subject instead of Email
2019-03-08 14:20:12 +00:00
Aigars Mahinovs
4e6593bc60 Update changelog for pull request #57 2019-03-08 13:41:15 +01:00
Aigars Mahinovs
7acec6243b Fall back to using OIDC Subject instead of Email
Email is not mandatory field, Subject is mandatory and expected to be unique. Might want to take a look at UserInfo first, however.

Issue: #56
2019-03-08 13:39:08 +01:00
Joel Speed
84d7c51bb6
Merge pull request #85 from kskewes/dockernoroot
Use non-root user in docker images
2019-03-05 20:32:39 +00:00
Joel Speed
bfccc1f261
Update CHANGELOG.md
Co-Authored-By: kskewes <karl.skewes@gmail.com>
2019-03-05 11:42:11 -08:00
dt-rush
549766666e fix redirect url param handling (#10)
* Added conditional to prevent user-supplied redirect URL getting
clobbered

Change-type: patch

* use redirectURL as OAuthCallbackURL (as it should be!)

Change-type: patch
2019-03-05 14:58:26 +00:00
Ben
66c5eb3174 Small clarification around health checks (#84)
Type: docs
I simply added the word health check. I was searching all over the
package for a health check, to only realise that it had been called
ping. I think the small addition might help others avoid my troubles.
2019-03-05 14:09:30 +00:00
Gabor Lekeny
eacba4ec7d Add id_token refresh to Google provider (#83) 2019-03-05 14:07:10 +00:00
Karl Skewes
80b5873a26 Potentially breaking change: docker user & group
Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.

Least access privileges.
Close: https://github.com/pusher/oauth2_proxy/issues/78

Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]
```

Running in Kubernetes 1.13 with the following also specified:
```
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
```

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->

- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
2019-03-05 21:37:04 +13:00
Marcel D. Juhnke
8816a2a972 Add -skip-oidc-discovery option (#41)
* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added --skip-oidc-discovery option

* added --skip-oidc-discovery option

* add simple test for skip-oidc-discovery option

* revert Dockerfile to pusher upstream

* revert Dockerfile to pusher upstream

* remove karrieretutor b2c option leftover

* remove karrieretutor b2c option leftover

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* replace fake http client with NewProvider() from go-oidc

* remove OIDC UserInfo URL option (not required)

* add info about -skip-oidc-discovery to README

* add note to changelog

* Update outdated comment
2019-03-04 13:54:22 +00:00