f4321c4b45
Update cookie generation to match base64 encoding
...
Current code is using URLEncoding but example was using the
standard RFC 4648 encoding. Switch to using the URL
encoding in the example as well.
2017-07-20 13:28:41 +02:00
3c51c914ac
Merge pull request #405 from bspaans/patch-1
...
Update Google Auth Provider instructions
2017-06-21 09:24:24 -04:00
7fea71a4ce
Update Google Auth Provider instructions
2017-06-21 11:03:24 +01:00
cddd2fcd7c
Merge pull request #402 from shividhar/master
...
Fix spelling mistake in docs
2017-06-09 12:23:50 -04:00
c8c6b66465
Fix spelling mistake in docs
2017-06-09 12:17:24 -04:00
6d6cb7e1f8
Merge pull request #392 from arnottcr/master
...
[github provider] use Authorization header, not access_token query parameter
2017-05-26 08:42:07 -04:00
17b1fa31dd
use Authorization header, not access_token query parameter
2017-05-18 03:45:34 +00:00
f4c356637f
Merge pull request #382 from ploxiln/auth_request_readme
...
README: nginx auth_request example updates
2017-05-15 20:50:28 -04:00
6d295f8446
README: nginx auth_request example refresh cookie handling
...
how to pass back the refreshed oauth2_proxy cookie from an nginx auth_request
2017-04-24 17:59:21 -04:00
7f5672b433
README: simplify nginx auth_request example
...
/oauth2/auth is not more sensitive than other /oauth2/ paths,
does not need "internal" protection
"spdy" protocol is obsolete, http2 is the thing to enable now.
But it's orthogonal anyway.
No need for two separate content/upstream location blocks in
this example, reduce to just one, with a comment that it could
be serving files instead of proxying.
2017-04-24 17:56:15 -04:00
ea2540bc89
Merge pull request #381 from ploxiln/dist_strip
...
dist.sh: use go build option to strip binaries
2017-04-24 16:34:22 -04:00
68e3178812
dist.sh: use go build option to strip binaries
...
30% release binary size reduction
2017-04-24 16:04:36 -04:00
d7e327d712
bump to version 2.2.1-alpha for development
2017-04-24 16:04:06 -04:00
b90a23473f
Merge pull request #380 from jehiah/release_380
...
Release v2.2
2017-04-24 12:22:11 -04:00
f457a9042a
Readme: update --help usage
2017-04-24 12:16:16 -04:00
3fa5635d6c
Release 2.2.0
2017-04-24 12:11:23 -04:00
f511cac6a6
Merge pull request #365 from travisofthenorth/fix/default-http-address
...
Fix url parse error
2017-04-20 14:57:39 -04:00
120a47a526
Merge pull request #370 from idntfy/master
...
#369 : Optionally allow skipping authentication for preflight requests
2017-04-07 09:20:33 -04:00
1e7d2a08a3
#369 : Optionally allow skipping authentication for preflight requests
2017-04-07 15:01:47 +03:00
f983933d88
Parse http address without url
2017-04-02 16:23:27 -04:00
af7be2d622
Merge pull request #319 from advarisk/auth-request
...
various fixes for getting Nginx auth_request mode working
2017-03-29 12:14:24 -04:00
fe44b89f57
update documentation for Nginx auth_request mode
2017-03-29 21:28:55 +05:30
90a22b2f39
Use X-Auth-Request-Redirect request header in sign-in page
...
This is useful in Nginx auth_request mode, if a 401 handler is
configured to redirect to the sign-in page. As the request URL
does not reflect the actual URL, the value is taken from the
header "X-Auth-Request-Redirect" instead. Based on #247
2017-03-29 21:28:55 +05:30
829b442302
add --set-xauthrequest flag for use in Nginx auth_request mode
...
This is enhancement of #173 to use "Auth Request" consistently in
the command-line option, configuration file and response headers.
It always sets the X-Auth-Request-User response header and if the
email is available, sets X-Auth-Request-Email as well.
2017-03-29 21:28:55 +05:30
93852a24cb
Merge pull request #362 from jehiah/ssl_insecure_skip_verify_362
...
Option to skip SSL verification
2017-03-29 11:02:26 -04:00
dcf62d06df
option for skipping OAuth provider SSL verification
2017-03-29 10:57:07 -04:00
bb9b607440
Merge pull request #361 from jehiah/gofmt_361
...
travis: run gofmt and go vet
2017-03-29 09:53:19 -04:00
c5fc7baa86
gofmt
2017-03-29 09:36:38 -04:00
c1116ea506
travis: run gofmt and go vet
2017-03-29 09:36:23 -04:00
4464655276
Merge pull request #360 from jehiah/csrf_validation_360
...
CSRF protection for OAuth flow.
2017-03-29 09:36:04 -04:00
55085d9697
csrf protection; always set state
2017-03-29 09:31:10 -04:00
6c690b699b
Merge pull request #339 from omazhary/issue-205
...
Allow to pass user headers only
2017-03-28 21:42:29 -04:00
107b4811b4
Merge pull request #346 from bdwyertech/patch-1
...
Oversize Cookie Alert
2017-03-28 21:40:11 -04:00
cd0d13e3fb
Merge pull request #357 from wrapp/skip-group-lookup-404
...
Skip 404 errors when looking up Google groups
2017-03-28 21:38:55 -04:00
86d083266b
Merge pull request #359 from jehiah/redirect_check_359
...
Improve redirect checks
2017-03-28 21:34:23 -04:00
289a6ccf46
add check for //.* to prevent open redirect during oauth
2017-03-28 21:12:33 -04:00
652f43ed38
Skip 404 errors when looking up Google groups
...
When checking user membership against Google groups the groups are checked one
at a time and in the order that they were supplied. If one of the groups does
not exist then the checking is halted with the following error.
google.go:201: googleapi: Error 404: Resource Not Found: groupKey, notFound
None of the groups following the missing group are checked either. This means
that something as trivial as a typo in the first group will make it impossible
for anybody to login.
This change catches the 404, logs a message, and then carries on as usual. In
this way a typo will cause a particular group to stop working but will not
affect any other groups.
2017-03-28 16:06:15 +02:00
712739f777
Merge pull request #356 from jehiah/bump_dependencies_356
...
Update vendored dependencies.
2017-03-27 21:07:08 -04:00
2ebab604eb
bump golang.org/x/... and google.golang.org dependencies
2017-03-27 20:56:15 -04:00
b884b36f26
bump easy pkg upgrades; drop Go 1.6 (no httptest.NewRequest)
...
This fixes a test w request signing due to a content-length:0 header from Go 1.8
2017-03-27 20:36:35 -04:00
951b5f325b
Merge pull request #355 from ploxiln/dist_updates
...
dist.sh and Godeps updates
2017-03-27 20:16:44 -04:00
9167c8ace8
travis: update go versions, gpm version
2017-03-27 19:40:12 -04:00
a2eeec2b7a
Godeps: remove redundant dep, add missing
...
golang.org/x/oauth2/google is same repo as golang.org/x/oauth2
- this sometimes confused gpm/git
cloud.google.com/go/compute/metadata is a missing dependency
of golang.org/x/oauth2
2017-03-27 19:17:42 -04:00
2024dc34ac
dist.sh: run gpm with GOPATH=$DIR/.godeps
...
so gpm is not affected if module exists in user's GOPATH already
2017-03-27 19:13:05 -04:00
86c9638572
dist.sh: already uses set "-e", remove "|| exit 1"
2017-03-27 18:16:39 -04:00
7d920c98a6
Merge pull request #354 from ploxiln/dist_win_exe
...
dist.sh: add .exe for windows build
2017-03-27 14:49:40 -04:00
bc3fe00be4
dist.sh: add .exe for windows build
2017-03-27 14:35:28 -04:00
87847316d4
Merge pull request #349 from braincube-io/signout
...
[signout] Implement logout endpoint
2017-03-22 23:08:47 -04:00
562cc2e466
[signout] Implement logout endpoint
2017-03-21 17:40:47 +01:00
3379e05fec
Oversize Cookie Alert
...
Cookies cannot be larger than 4kb
2017-02-23 18:48:34 -05:00
