0645e19c24
Cleanup internalSession params & handle profileURL Bearer case better
...
`findClaimsFromIDToken` would always have a `nil` access token and not be
able to hit the userinfo endpoint in Bearer case. If access token is nil,
default to legacy `session.Email = claim.Subject` that all JWT bearers used
to have, even if a valid profileURL is present.
2020-08-14 13:31:38 -07:00
dcc75410a8
Handle claim finding differently in bearer vs standard IDTokens
2020-08-14 13:31:38 -07:00
514db45d1a
Allow OIDC Bearer Tokens without emails
...
This reverts to functionality before #499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before #499 .
2020-08-14 13:31:38 -07:00
8515da3e91
Merge pull request #714 from grnhse/redis-sentinel-password
...
Support Password & SentinelPassword in Redis session store
2020-08-14 14:09:54 +01:00
51a9062044
Support Password & SentinelPassword in Redis session store
2020-08-11 12:22:05 -07:00
35ed7a313b
Merge pull request #719 from grnhse/gosec-x-oauth-basic-skip
...
Add `x-oauth-basic` nosec annotation & address gosec unhandled errors
2020-08-11 11:56:07 -07:00
b6e78efc1e
Add x-oauth-basic nosec annotation & address gosec unhandled errors
2020-08-10 15:15:16 -07:00
d69fd6af22
Allow Logging to stdout with separate Error Log Channel ( #718 )
...
* Add dedicated error logging writer
* Document new errors to stdout flag
* Update changelog
* Thread-safe the log buffer
* Address feedback
* Remove duplication by adding log level
* Clean up error formatting
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk >
2020-08-10 11:44:08 +01:00
33e04cc52f
Merge pull request #690 from grnhse/gosec-findings-fixes
...
Address gosec findings
2020-08-09 08:24:37 -07:00
a1358d2070
Panic on any logger errors
...
Any template errors instead of IO
errors are caught in validation.
2020-08-09 07:55:41 -07:00
e88d29f16a
Refactor SignInMessage out of main
2020-08-09 07:55:41 -07:00
46cc21d8cf
Skip gosec linting on tests
2020-08-09 07:55:41 -07:00
45222395e0
Attempt to log still on template errors
2020-08-09 07:55:40 -07:00
542bf1fad1
Add gosec to .golangci.yml
2020-08-09 07:55:40 -07:00
ad52587ae6
Document GoSec nosec skip comments
2020-08-09 07:55:40 -07:00
2bb0160bf3
Streamline error page usage
2020-08-09 07:55:40 -07:00
1c8c5b08d7
Handle cookie signing errors
2020-08-09 07:55:40 -07:00
65c228394f
Address gosec findings
...
Mostly handling unhandled errors appropriately.
If logging to STDERR fails, we panic. Added #nosec
comments to findings we are OK with.
2020-08-09 07:55:39 -07:00
7b21f53aad
Merge pull request #689 from grnhse/finicky-logging-time-test
...
Fix time issue causing finicky failures in logging tests
2020-08-07 08:32:17 +01:00
81ec9edf53
Fix time issue causing finicky failures in logging tests
2020-08-06 15:44:05 -07:00
0cf0fd88e8
Merge pull request #710 from ryandesign/patch-1
...
Fix typos and other minor edits
2020-08-04 07:58:53 -07:00
6e31eb28d5
Fix typos and other minor edits
2020-08-04 01:29:00 -05:00
bbf00bc92b
Merge pull request #701 from jhutchings1/patch-1
...
Add pull request events to CodeQL action
2020-07-29 12:23:08 +01:00
43189a7854
Add pull request events to CodeQL action
...
This will validate pull requests from forks to ensure that changes don't end up impacting you negatively.
2020-07-28 21:42:21 -07:00
2318716a89
Merge pull request #699 from grnhse/refactor-persistence-tests
...
Align persistence ginkgo tests to conventions
2020-07-22 11:23:49 +01:00
19836f85ac
Align persistence ginkgo tests to conventions
2020-07-21 22:13:17 -07:00
88ef888752
Preserve query when building redirect (fix for #695 ) ( #696 )
...
* Add test for GetRedirect to check query and fragments.
* Preserve query and fragment when building redirect.
* Add changelog entry for redirect fix
2020-07-21 16:38:13 +01:00
c5da3dff9c
Merge pull request #561 from oauth2-proxy/provider-urls-refactor
...
Move provider URLs to package level vars
2020-07-20 11:50:47 +01:00
9643a0b10c
Centralize Ticket management of persistent stores ( #682 )
...
* Centralize Ticket management of persistent stores
persistence package with Manager & Ticket will handle
all the details about keys, secrets, ticket into cookies,
etc. Persistent stores just need to pass Save, Load &
Clear function handles to the persistent manager now.
* Shift to persistence.Manager wrapping a persistence.Store
* Break up the Redis client builder logic
* Move error messages to Store from Manager
* Convert ticket to private for Manager use only
* Add persistence Manager & ticket tests
* Make a custom MockStore that handles time FastForwards
2020-07-19 21:25:13 +01:00
f141f7cea0
Merge pull request #688 from oauth2-proxy/session-middlewares
...
Refactor session loading to make use of middleware pattern
2020-07-19 20:40:17 +01:00
1aac37d2b1
Merge pull request #593 from oauth2-proxy/proxy-refactor
...
Integrate upstream package with OAuth2 Proxy
2020-07-19 20:10:56 +01:00
d4dd34a65a
Move provider URLs to package level vars
2020-07-19 18:34:55 +01:00
3f00143175
Add changelog entry for session middleware refactor
2020-07-19 17:24:58 +01:00
eb234011eb
Integrate sessions middlewares
2020-07-19 17:24:12 +01:00
034f057b60
Add session loader from session storage
2020-07-19 17:21:42 +01:00
7d6f2a3f45
Add Basic Auth session loader middleware
2020-07-19 17:21:42 +01:00
c81a7ed197
Add JWT session loader middleware
2020-07-19 17:21:42 +01:00
2768321929
Add request scope middleware
2020-07-19 17:21:42 +01:00
d43b372ca9
Use bool pointers for upstream options that default to true
2020-07-19 14:01:36 +01:00
6b27069812
Add changelog entry for integrating new upstream proxy
2020-07-19 14:01:36 +01:00
71dc70222b
Break legacy upstream options into LegacyUpstreams struct
2020-07-19 14:01:36 +01:00
5dbcd73722
Configure OAuth2 Proxy to use new upstreams package and LegacyConfig
2020-07-19 08:17:53 +01:00
e932381ba7
Add LegacyOptions and conversion to new Options
...
This will be temporary until we switch to structured config, then we can remove the LegacyOptions and conversions
2020-07-19 08:17:53 +01:00
e02f99eb58
Merge pull request #687 from oauth2-proxy/htpasswd-validator
...
Refactor HTPasswd Validator
2020-07-18 17:29:50 +01:00
e73db7df7b
Add HTPasswd validator refactor to changelog
2020-07-18 11:01:49 +01:00
2981a5ed1a
Integrate HTPasswdValidator into OAuth2 Proxy
2020-07-18 11:01:49 +01:00
7d8ee61254
Add HTPasswdValidator to basic authentication package
2020-07-18 11:01:49 +01:00
895403cb9b
Document what provider have support for --cookie-refresh. ( #543 )
...
Co-authored-by: Dirk Weinhardt <dirk.weinhardt@etl.de >
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk >
2020-07-15 00:05:13 +01:00
abeb0236d8
Strip X-Forwarded auth headers from whitelisted paths ( #624 )
...
* Strip X-Forwarded auth headers from whitelisted paths
For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).
Only x-Forwarded headers stripped, left the Authorization header
untouched.
* Strip authorization header if it would be set
* Improve TestStripAuthHeaders test table
* Improve --skip-auth-strip-headers flag documentation
2020-07-14 23:46:44 +01:00
bb5977095f
Add option to remove tokens from cookie sessions ( #673 )
...
* Add option to remove tokens from cookie sessions
* Move Minimal to be an option on CookieSession
* Add sessionOptionsDefaults helper
2020-07-14 23:02:10 +01:00
