* Add -user-id-claim to support other claims than email
Fix#431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".
- Add the option `user-id-claim` (defaults to email)
- OIDC extracts this claim into session.Email (to be renamed later)
- providers: add `CreateSessionStateFromBearerToken` with a default impl taken from
`GetJwtSession` and overridden by oidc to respect `user-id-claim`
Once #466 is merged, I can continue to rename SessionState.Email to .UserID
and add HTTP headers with a corresponding name.
* Apply suggestions from code review
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Review feedback: Don't extract claims manually
Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.
* Fix indentation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Allow the OIDC issuer verification to be skipped if desired.
* Remove stale warning
* Add CHANGELOG entry
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
Co-authored-by: Dan Bond <pm@danbond.io>
* Allow multiple cookie domains to be specified
* Use X-Forwarded-Host, if it exists, when selecting cookie domain
* Perform cookie domain sorting in config validation phase
* Extract get domain cookies to a single function
* Update pkg/cookies/cookies.go
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* Update changelog
Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* feature: switch Azure AD graph API to Microsoft Graph API
* Update CHANGELOG
* Expand Breaking Changes notice
* Update CHANGELOG.md
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
* fix: use constant http method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* addint redirect capability to sign_out
* updating changelog
* Add a new param to set the Authorization header to up-stream systems as Basic user:password
* Resolving code review
* mutual exclusiv changes for Basic and Bearer Authorization header
* Fixed the merge mixup and comment error
* Updated changelog and fixed typo
* Adding the new entry in changelog
Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>
* Prevent browser caching during auth flow
* simplify no-cache logic, add tests and update changelog
* checking noCacheHeaders does not exists in response headers from upstream
* remove unnecessary codes
* add no-cache headers in SignInPage and OAuthStart for proxy mode
https://github.com/oauth2-proxy/oauth2-proxy/pull/453#discussion_r405072222
when type asserting fails here, err is reassigned with nil and the
default block of the switch prints out <nil> in the error message. This
makes debugging a configuration or access token issue difficult
The particular error this surfaces is:
Response: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}
Signed-off-by: Josh Bielick <jbielick@gmail.com>
* feature: Implement graceful shutdown
Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.
Added handling of Unix signals to http server.
Upgrade go-redis/redis to v7.
* Update dependencies
- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert
* add doc for wrapper interface
* Update CHANGELOG.md
* fix: upgrade fsnotify to v1.4.9
* fix: remove unnessary logging
* fix: wait until all connections have been closed
* refactor: move chan to main for testing
* add assert to check if stop chan is empty
* add an idiomatic for sync.WaitGroup with timeout
* Upgrade base image tags and golangci-lint
* Upgrade golang and golangci-lint in travis-ci
* fix: tests, pointed out by golangci-lint and format files
* Upgrade dependencies
* update changelog
* fix: tests related to https://github.com/pusher/oauth2_proxy/pull/418
* Separate tests using go version build tags
* Update CHANGELOG
* Revert "Separate tests using go version build tags"
This reverts commit 9b7e65eb90cae954dc7b6316345d3207205d488a.
* fix test to support go1.14 and go1.13
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* cleaned up source to make golangci-lint pass
* providers/azure_test.go: use build in POST constant
* options_test.go: do not export unnecessary variables
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Clarify how to rename CLI options to be able to set them in the config file. I have just spent an hour trying to find out why `whitelist_domain="..."` does not work :-)
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Previously in #401, an option was added to support forwarding the email
address as the username to the upstream service when the PassBasicAuth
option is used.
The PassBasicAuth option is not appropriate for all users, with PassUserHeaders
allowing very similar functionality without specifying a basic auth headers.
The PreferEmailToUser option has been expanded to support the PassUserHeaders
option.
