1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-30 09:16:52 +02:00
Commit Graph

1735 Commits

Author SHA1 Message Date
Braunson
fcecbeb13c
Inconsistent code-challenge-method CLI flag and config file naming (#1766)
* Inconsistent code-challenge-method CLI flag and config file naming

- Allow previous config option for now to prevent breaking configs

Fixes #1667

* Add changelog entry

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-09-01 10:58:43 +01:00
Joel Speed
d19182c740
Merge pull request #1723 from crbednarz/allow-tls-cipher-config
Added ability to specify allowed TLS cipher suites.
2022-09-01 10:54:25 +01:00
Chris Bednarz
ebacc2d7e4 Added ability to specify allowed TLS cipher suites. 2022-08-31 17:55:06 -07:00
Nuno Miguel Micaelo Borges
a1ff878fdc
Add flags to define CSRF cookie expiration time and to allow CSRF cookies per request (#1708)
* Add start of state to CSRF cookie name

* Update CHANGELOG.md

* Update CHANGELOG.md

* Support optional flags

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update overview.md

Add new CSRF flags

* Update overview.md

Describe new CSRF flags

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
2022-08-31 23:27:56 +01:00
Lorenzo Biava
f8bd853702
Azure AD Doc: change permission to openid and add warning on consent (#1752)
The Azure AD Doc mentioned a very broad and risky permission, which is not really required by the proxy, and some Admins won't even permit.
This change recommends using the much more restricted "openid", and also warns about the consent that could still be required in certain cases.
2022-08-31 22:16:53 +01:00
Felix Stupp
723f6cc5d5
docs/conf/overview: Add hint about cookie prefixes to --cookie-name (#1744)
* docs/conf/overview: Add hint about cookie prefixes to --cookie-name

Cookie Prefixes further restricts the possibilities of session attacks because supporting clients will only accept cookies with one of the prefix if certain requirements were meet, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#cookie_prefixes

* Backport cookie prefixes to older docs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-08-31 22:08:02 +01:00
Konstantin Shalygin
c228d9e273
docs/docs/configuration/auth: fixed example of oidc-issuer-url for Keycloak (#1758)
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-08-31 22:07:49 +01:00
Felipe B. Conti
ff03c43842
Fix vulnerabilities on crypto, net and sys packages and change go ver… (#1774)
* Fix vulnerabilities on crypto, net and sys packages and change go version on Docker builder stage

* Changelog related PR $1774

Co-authored-by: Felipe Bonvicini Conti <felipe.conti@totvs.com.br>
2022-08-31 21:37:07 +01:00
Joel Speed
884c4ee484
Merge pull request #1773 from giautm/patch-1
k8s: fixed invalid cookie_domain
2022-08-31 21:27:24 +01:00
Giau. Tran Minh
3d6ccc7cf7
k8s: fixed invalid cookie_domain 2022-08-28 17:54:32 +07:00
Dmitry Kartsev
0cfb9c6da0
adding IdleTimeout with the redis-connection-idle-timeout flag, to ke… (#1691)
* adding IdleTimeout with the redis-connection-idle-timeout flag, to keep redis connections in valid state, when Redis  option is set

* docs update - add redis idle timeout configurations

* changelog update for #1691 fix
2022-08-09 21:57:13 +01:00
Chris
6e02bb496b
Extract Keycloak roles while creating a session from token (#1720)
* extract roles while creating session

* add test

* adjust changelog

* remove unused func

* shorten implementation

Co-authored-by: Christian Hirsch <christian.hirsch@nitrado.net>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-08-08 23:28:46 +01:00
t-katsumura
bcadad4c30
Fix method deprecated error in lint (#1699)
* fix method deprecated error in lint

* Fix logic of testing GetCertPool() method

* fix typo

* improve comment

* Fix typo

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-08-08 23:18:29 +01:00
Joel Speed
7a784a460d
Merge pull request #1709 from aiciobanu/basic-login-failed-message
Show an alert message when basic auth credentials are invalid
2022-07-13 14:50:47 +01:00
Alexandru Ciobanu
33a3a602bc added CHANGELOG.md entry for #1709 2022-07-13 16:26:30 +03:00
Alexandru Ciobanu
52cf162843 added tests for basic auth alert message feature 2022-06-30 18:11:43 +03:00
Alexandru Ciobanu
cbda3cf618 implement an error alert message for invalid basic auth credentials 2022-06-30 18:10:02 +03:00
Joel Speed
db74661e10
Merge pull request #1665 from oauth2-proxy/release-7.3.0
Release 7.3.0
2022-05-29 15:50:17 +01:00
Joel Speed
4344610f80
Create versioned docs for release v7.3.x
Created with: yarn run docusaurus docs:version 7.3.x
2022-05-29 15:43:02 +01:00
Joel Speed
95e1a4973e
Update CHANGELOG for v7.3.0 release 2022-05-29 15:36:50 +01:00
Joel Speed
d3f428a1a6
Discover signature algorithms from OIDC provider (#1662) 2022-05-29 13:48:09 +01:00
ckwalsh
c900c51a1b
Unbreak oauth2-proxy for keycloak provider after 2c668a (#1502)
* Unbreak oauth2-proxy for keycloak provider after 2c668a

With 2c668a, oauth2-proxy fails a request if the token validation fails.
Token validation always fails with the keycloak provider, due to the
valudation request passing the token via the URL, and keycloak not
parsing the url for tokens.

This is fixed by forcing the validation request to pass the token via a
header.

This code taken from the DigitalOcean provider, which presumably forcing
the token to be passed via header for the same reason.

Test plan: I was unable to build a docker image to test the fix, but I
believe it is relatively simple, and it passes the "looks good to me"
test plan.

* Add changelog entry for unbreak keycloak

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-05-29 11:08:04 +01:00
snowjet
01da2ac352
Update KeyCloak Auth Provider oidc_issuer_url (#1661)
The correct URL for the oidc-issuer-url in KeyCloak v18.0 is: https://<keycloak host>/realms/<your realm>. 
Using the old URL causes oauth2-proxy to crash on startup.

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-05-29 10:20:42 +01:00
bradybus
167acf7f09
Add redirect instructions for gitlab on sub-dir (#1616)
* Add redirect instructions for gitlab on sub-dir

* include redirect instructions in unversioned docs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-05-29 10:17:30 +01:00
adamsong
fc686ae95c
Corrects request endpoint (#1650)
* Fixes typo in repo endpoint

* Update CHANGELOG.md

* Fix the test to mock the correct endpoint

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-05-25 20:05:12 +01:00
t-katsumura
c6a98369a0
Add description on ipv6 address (#1635)
* add docs on ipv6

* add tests for ipv6 address

* add tests for ipv6 address

* remove Print function for debugging

* Updated changelog
2022-05-23 10:17:29 +01:00
Nik Skoufis
743c344fdc
Change error type for redirect parsing errors (#1649)
* Change error type for redirect parsing errors

This changes the error type returned when the proxy fails to parse the
redirect target to be a 400 error instead of a 500 error.

As far as I can tell, the only way that this can fail is a failure to
parse the properties of the request to identity the redirect target.
This indicates that the user has sent a malformed request, and so should
result in a 400 rather than a 500.

I've added a test to exercise this, based on a real work example.

* Update changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-05-20 14:26:21 +01:00
Joel Speed
086b869945
Merge pull request #1638 from jacksgt/configure-upstream-timeout
Configure upstream timeout
2022-05-20 14:04:28 +01:00
Jack Henschel
7a27cb04df Implement configurable timeout for upstream connections
Signed-off-by: Jack Henschel <jack.henschel@cern.ch>
2022-05-18 11:41:17 +01:00
Joel Speed
27f4bb6a0e
Merge pull request #1651 from rkkris75/oauth2-proxy-cvefix
CVE fixes pertaining to text, crypto and prometheus
2022-05-16 10:09:15 +01:00
Rajesh Krishnamurthy
1aef90f9a9 Added changelog for PR #1651 2022-05-13 15:44:58 -07:00
Rajesh Krishnamurthy
f8ddc130d8 CVE fixes pertaining to text, crypto and prometheus 2022-05-13 14:53:24 -07:00
zv0n
b794248176
Add allowed_emails option to the auth endpoint query string (#1595)
* Add allowed_emails option to the auth endpoint query string

* Don't return true from checkAllowedEmailsOrDomains only because domains field was empty

* Fix checkAllowedEmailsOrDomains logic

* Added tests for allowed_emails query parameter

* Updated CHANGELOG

* Remove checkAllowedEmailsOrDomains

Co-authored-by: Nick Meves <nicholas.meves@gmail.com>
2022-04-23 18:11:38 -07:00
Braunson
333e68637f
Build ARMv8 Docker Images (#1594)
* Build ARMv8 Docker Images

Fixes #1593

* Change platform to arm64/v8

* Drop separate tags for different architectures

* Mark the architecture image tags for deprecation

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-04-14 15:52:43 +01:00
Ole-Martin Bratteng
2e9c30ac12
Parameterise runtime image (#1478)
* Use distroless debian11 docker image

* Add `Dockerfile` to `.dockerignore`

* Replace `nonroot` with the matching UID/GID
Alpine does not have that user, and it cause issues when trying to start the container

* Use a build arg for setting the runtime image

* Explain why `ARG RUNTIME_IMAGE` is at the top

* Add entry to CHANGELOG

* Move build-arg to `DOCKER_BUILDX_ARGS`
2022-04-14 14:10:59 +01:00
Joel Speed
f820deb96d
Merge pull request #1583 from adriananeci/groups_token_to_session
Add groups to session too when creating session from bearer token
2022-03-14 09:18:24 +00:00
Braunson
ce750e9b30
PKCE Support (#1541)
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.

Signed-off-by: Valentin Pichard <github@w3st.fr>

* Fix provider data initialisation

* PKCE Support

Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.

- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them

Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server.  Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2

oauth2-proxy will always use S256 unless the user explicitly forces `plain`.

Fixes #1361

* Address PR comments by moving pkce generation

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Encrypt CodeVerifier in CSRF Token instead of Session

- Update Dex for PKCE support
- Expose HTTPBin for further use cases

* Correct the tests

* Move code challenges into extra params

* Correct typo in code challenge method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Correct the extra space in docs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address changelog and new line nits

* Add generated docs

Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
2022-03-13 10:08:33 +00:00
Adrian Aneci
a392cc1098 Add groups to session too when creating session from token 2022-03-12 18:01:57 +02:00
Joel Speed
45ef848b0a
Merge pull request #1577 from simon04/patch-1
main: fix typo "convert-config-to-alpha"
2022-02-24 13:16:08 +00:00
Simon Legner
5b89e975d1
main: fix typo "convert-config-to-alpha" 2022-02-24 08:59:45 +01:00
Joel Speed
b2f780c394
Merge pull request #1512 from r4co0n/fix-docs-cookiesecret-generator-bash
docs/configuration: Fix entropy for bash secret
2022-02-21 21:44:04 +00:00
Joel Speed
6dfa3021e8
Merge branch 'master' into fix-docs-cookiesecret-generator-bash 2022-02-20 14:17:12 +00:00
Joel Speed
d34644e160
Merge pull request #1567 from oauth2-proxy/fix-docs-release
Ensure docs release action has correct env
2022-02-20 14:14:52 +00:00
Joel Speed
eb43b17750
Ensure docs release action has correct env 2022-02-20 14:07:56 +00:00
Simon Hollenbach
b999c41a5a docs/7.1.x/configuration: Use 32 bytes to generate secret 2022-02-20 14:41:46 +01:00
Simon Hollenbach
4ed564901e docs/versioned_docs: Backport fix entropy for bash secret (#1511) 2022-02-20 14:38:11 +01:00
Simon Hollenbach
db71dd8c55 docs/configuration: Fix entropy for bash secret
Filtering `/dev/urandom` for alphanumeric characters resulted in loss of
input entropy to base64. Fixing this using a procedure with these steps:

  * Read 32 bytes from `/dev/urandom` (`dd`)
  * Base64-encode (`base64`)
  * Strip newlines (`tr -d`)
  * URL-Escape (`tr`)
  * Append a final newline (`echo`)

This output should be equivalent to output generated using Python and
OpenSSL variants mentioned in the changed document file.

Newlines are stripped as `base64` wraps its output and the option to
disable this (`-w 0`) is not available in all implementations.

Fixes: #1511
2022-02-20 14:38:11 +01:00
Joel Speed
cc94be0314
Merge pull request #1565 from oauth2-proxy/update-docusaurus
Update Docusaurus to 2.0.0-beta.15
2022-02-19 23:10:02 +00:00
Joel Speed
c232136196
Update docs github actions to Node 17 2022-02-19 18:45:07 +00:00
Joel Speed
3ac51f5e2f
Update Docusaurus to 2.0.0-beta.15 2022-02-19 18:40:13 +00:00