1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-30 09:16:52 +02:00
Commit Graph

146 Commits

Author SHA1 Message Date
Braunson
fcecbeb13c
Inconsistent code-challenge-method CLI flag and config file naming (#1766)
* Inconsistent code-challenge-method CLI flag and config file naming

- Allow previous config option for now to prevent breaking configs

Fixes #1667

* Add changelog entry

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-09-01 10:58:43 +01:00
Chris Bednarz
ebacc2d7e4 Added ability to specify allowed TLS cipher suites. 2022-08-31 17:55:06 -07:00
Nuno Miguel Micaelo Borges
a1ff878fdc
Add flags to define CSRF cookie expiration time and to allow CSRF cookies per request (#1708)
* Add start of state to CSRF cookie name

* Update CHANGELOG.md

* Update CHANGELOG.md

* Support optional flags

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update CHANGELOG.md

* Update overview.md

Add new CSRF flags

* Update overview.md

Describe new CSRF flags

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
2022-08-31 23:27:56 +01:00
Dmitry Kartsev
0cfb9c6da0
adding IdleTimeout with the redis-connection-idle-timeout flag, to ke… (#1691)
* adding IdleTimeout with the redis-connection-idle-timeout flag, to keep redis connections in valid state, when Redis  option is set

* docs update - add redis idle timeout configurations

* changelog update for #1691 fix
2022-08-09 21:57:13 +01:00
Jack Henschel
7a27cb04df Implement configurable timeout for upstream connections
Signed-off-by: Jack Henschel <jack.henschel@cern.ch>
2022-05-18 11:41:17 +01:00
Joel Speed
f820deb96d
Merge pull request #1583 from adriananeci/groups_token_to_session
Add groups to session too when creating session from bearer token
2022-03-14 09:18:24 +00:00
Braunson
ce750e9b30
PKCE Support (#1541)
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.

Signed-off-by: Valentin Pichard <github@w3st.fr>

* Fix provider data initialisation

* PKCE Support

Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.

- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them

Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server.  Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2

oauth2-proxy will always use S256 unless the user explicitly forces `plain`.

Fixes #1361

* Address PR comments by moving pkce generation

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Encrypt CodeVerifier in CSRF Token instead of Session

- Update Dex for PKCE support
- Expose HTTPBin for further use cases

* Correct the tests

* Move code challenges into extra params

* Correct typo in code challenge method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Correct the extra space in docs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address changelog and new line nits

* Add generated docs

Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
2022-03-13 10:08:33 +00:00
Adrian Aneci
a392cc1098 Add groups to session too when creating session from token 2022-03-12 18:01:57 +02:00
Ian Roberts
63727103db Support for passing through URL query parameters from /oauth2/start to the ID provider's login URL.
You must explicitly configure oauth2-proxy (alpha config only) with which parameters are allowed to pass through, and optionally provide an allow-list of valid values and/or regular expressions for each one.  Note that this mechanism subsumes the functionality of the "prompt", "approval_prompt" and "acr_values" legacy configuration options, which must be converted to the equivalent YAML when running in alpha config mode.
2022-02-19 16:11:09 +00:00
Joel Speed
82710a7ac1
Fix other packages that rely on verifiers 2022-02-19 15:37:58 +00:00
Joel Speed
979c3e8cbc
Move internal OIDC package to providers package 2022-02-19 15:37:53 +00:00
Joel Speed
263a5df820
Merge pull request #1286 from instadeepai/allowed_email_domains-on-auth_request-endpoint
Add allowed_email_domains on auth_request endpoint
2022-02-17 17:10:43 +00:00
Joel Speed
d162b018a8
Move provider initialisation into providers package 2022-02-16 10:38:05 +00:00
Joel Speed
95dd2745c7
Remove options dependency on providers package 2022-02-16 10:38:04 +00:00
Kevin Schu
25371ea4af
improved audience handling to support client credentials access tokens without aud claims (#1204)
* implementation draft

* add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options

* refactor configs, added logging and add additional claim verification

* simplify logic by just having one configuration similar to oidc-email-claim

* added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers

* refactored verification to reduce complexity

* refactored verification to reduce complexity

* added docs

* adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options

* extend unit tests and ensure that audience is set with the value of aud claim configuration

* revert filemodes and update docs

* update docs

* remove unneccesary logging, refactor audience existence check and added additional unit tests

* fix linting issues after rebase on origin/main

* cleanup: use new imports for migrated libraries after rebase on origin/main

* adapt mock in keycloak_oidc_test.go

* allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation

* fixed formatting issue

* do not pass the whole options struct to minimize complexity and dependency to the configuration structure

* added changelog entry

* update docs

Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com>
Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
2022-02-15 16:12:22 +00:00
Valentin Pichard
2b4c8a9846 Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.
Signed-off-by: Valentin Pichard <github@w3st.fr>
2022-02-14 18:03:20 +01:00
polarctos
e03cf87dd8 Add option to specify the tls-min-version for the server 2022-02-09 20:19:01 +01:00
Luka Zakrajšek
d3e036d619 Add force-json-errors flag 2021-10-05 11:24:47 +02:00
Fabian Stelzer
88f32aeaa1
rename Upstreams to UpstreamConfig and its Configs member to Upstreams then 2021-09-17 12:37:57 +00:00
Fabian Stelzer
d51556515e
Introduce ProxyRawPath flag
Setting this flag will configure the upstream proxy to pass encoded urls
as-is.
2021-09-17 12:37:56 +00:00
Fabian Stelzer
12ab4ef529
Make the Upstreams mux configurable
This commit changes Upstreams from []Upstream to a struct{}
moving the previous []Upstream into .Configs and adjusts all uses of it.
2021-09-17 12:31:18 +00:00
Miks Kalnins
54d44ccb8f
Allow specifying URL as input for custom sign in logo (#1330)
* Allow specifying URL as input for custom logos

* Fix typo

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

* Only allow HTTPS URLs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nicholas.meves@gmail.com>
2021-09-05 09:23:22 -07:00
Peter Braun
e6223383e5 update keycloak oidc provider and add unit tests 2021-08-02 11:39:50 +02:00
Nick Meves
ab54de38cc Extract roles from Keycloak Access Tokens 2021-07-30 09:46:13 +02:00
Nick Meves
0b4bc36554
Upgrade go-oidc to v3 (#1264) 2021-07-17 09:55:05 -07:00
wassan128
777556c97e Fix typo s/commmon/common/ 2021-07-08 21:29:43 +09:00
Nick Meves
1faa5c47ce Remove finicky encryption test
AES-CFB is unauthenticated, in rare circumstances it won't error on
AES-GCM encrypted payloads
2021-07-01 19:03:01 -07:00
Joel Speed
6c62b25bf1
Allow request paths to be rewritten before proxying to upstream server 2021-06-23 12:20:46 +01:00
Nick Meves
baf6cf3816 Remove mutex from local Clock instances
They will only be used in tests, but it doesn't play
nice with copy operations many tests use. The linter was
not happy. While the global clock needs mutexes for parallelism,
local Clocks only used it for Set/Add and didn't even use the
mutex for actual time functions.
2021-06-22 17:04:42 -07:00
Nick Meves
d91c3f867d Remove validation for invalid legacy v6.0.0 sessions
The reflect.DeepCopy doesn't play nice with the new Lock and Clock
fields in sessions. And it added unneeded session deserialization
logic to every request.
2021-06-22 17:04:42 -07:00
Nick Meves
593125152d Standarize provider refresh implemention & logging 2021-06-22 17:04:30 -07:00
Nick Meves
7fa6d2d024 Manage session time fields centrally 2021-06-21 21:54:52 -07:00
Sami Racho
a14c0c2121 Added ADFS Provider 2021-06-13 10:19:56 +02:00
Frederic Pape
cfd82daaf0
Some typos (#1222)
* Some typos

* Also corrected the typo's in the src code

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-06-02 19:41:30 +01:00
Kevin Kreitner
f648c54d87
Add redis lock feature (#1063)
* Add sensible logging flag to default setup for logger

* Add Redis lock

* Fix default value flag for sensitive logging

* Split RefreshSessionIfNeeded in two methods and use Redis lock

* Small adjustments to doc and code

* Remove sensible logging

* Fix method names in ticket.go

* Revert "Fix method names in ticket.go"

This reverts commit 408ba1a1a5.

* Fix methods name in ticket.go

* Remove block in Redis client get

* Increase lock time to 1 second

* Perform retries, if session store is locked

* Reverse if condition, because it should return if session does not have to be refreshed

* Update go.sum

* Update MockStore

* Return error if loading session fails

* Fix and update tests

* Change validSession to session in docs and strings

* Change validSession to session in docs and strings

* Fix docs

* Fix wrong field name

* Fix linting

* Fix imports for linting

* Revert changes except from locking functionality

* Add lock feature on session state

* Update from master

* Remove errors package, because it is not used

* Only pass context instead of request to lock

* Use lock key

* By default use NoOpLock

* Remove debug output

* Update ticket_test.go

* Map internal error to sessions error

* Add ErrLockNotObtained

* Enable lock peek for all redis clients

* Use lock key prefix consistent

* Fix imports

* Use exists method for peek lock

* Fix imports

* Fix imports

* Fix imports

* Remove own Dockerfile

* Fix imports

* Fix tests for ticket and session store

* Fix session store test

* Update pkg/apis/sessions/interfaces.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Do not wrap lock method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Use errors package for lock constants

* Use better naming for initLock function

* Add comments

* Add session store lock test

* Fix tests

* Fix tests

* Fix tests

* Fix tests

* Add cookies after saving session

* Add mock lock

* Fix imports for mock_lock.go

* Store mock lock for key

* Apply elapsed time on mock lock

* Check if lock is initially applied

* Reuse existing lock

* Test all lock methods

* Update CHANGELOG.md

* Use redis client methods in redis.lock for release an refresh

* Use lock key suffix instead of prefix for lock key

* Add comments for Lock interface

* Update comment for Lock interface

* Update CHANGELOG.md

* Change LockSuffix to const

* Check lock on already loaded session

* Use global var for loadedSession in lock tests

* Use lock instance for refreshing and releasing of lock

* Update possible error type for Refresh

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-06-02 19:08:19 +01:00
Itay Brandes
095e1db801 fix: SHOW_DEBUG_ON_ERROR environment variable not working
(Fixes #1178)
2021-05-04 19:17:30 +03:00
Nick Meves
544ba2a21c
Fix Metrics cfg option naming typo 2021-04-23 13:24:28 -07:00
Nick Meves
7eeaea0b3f
Support nonce checks in OIDC Provider (#967)
* Set and verify a nonce with OIDC

* Create a CSRF object to manage nonces & cookies

* Add missing generic cookie unit tests

* Add config flag to control OIDC SkipNonce

* Send hashed nonces in authentication requests

* Encrypt the CSRF cookie

* Add clarity to naming & add more helper methods

* Make CSRF an interface and keep underlying nonces private

* Add ReverseProxy scope to cookie tests

* Align to new 1.16 SameSite cookie default

* Perform SecretBytes conversion on CSRF cookie crypto

* Make state encoding signatures consistent

* Mock time in CSRF struct via Clock

* Improve InsecureSkipNonce docstring
2021-04-21 10:33:27 +01:00
yanasega
42475c28f7
Multiple providers in alpha config (#947)
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* fixed typo

* removed weird : file

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* auto generates alpha_config.md

* rebase (mainly service alpha options related conflicts)

* removed :

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* "cntd. rebase"

* ran make generate again

* last conflicts

* removed duplicate client id validation

* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0

* fixed TestGoogleGroupOptions test

* ran make generate

* moved CHANGLOG line to 7.1.1

* moved changelog comment to 7.1.2 (additional rebase)

Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2021-04-03 17:06:30 +01:00
Oliver
7ebeecb128
Fix metrics server (#1141)
* fix MetricsSecureAddress cfg tag

* add metrics* flags to docs

* update CHANGELOG
2021-04-01 13:58:13 +01:00
Joel Speed
64f0a9f580
Reinstate preferEmailToUser behaviour for basic auth sessions 2021-03-22 13:13:26 +00:00
Nick Meves
c1267bb92d
Request ID Logging (#1087)
* Add RequestID to the RequestScope

* Expose RequestID to auth & request loggers

* Use the RequestID in templated HTML pages

* Allow customizing the RequestID header

* Document new Request ID support

* Add more cases to scope/requestID tests

* Split Get vs Generate RequestID funtionality

* Add {{.RequestID}} to the request logger tests

* Move RequestID management to RequestScope

* Use HTML escape instead of sanitization for Request ID rendering
2021-03-21 18:20:57 +00:00
Joel Speed
f4b3115dd3
Add complete metrics server configuration 2021-03-07 11:49:12 +00:00
Joel Speed
3d457a8cdf
Create server options struct and move legacy server options to legacyOptions 2021-03-07 11:49:08 +00:00
Nick Meves
602dac7852
Move Logging to Middleware Package (#1070)
* Use a specialized ResponseWriter in middleware

* Track User & Upstream in RequestScope

* Wrap responses in our custom ResponseWriter

* Add tests for logging middleware

* Inject upstream metadata into request scope

* Use custom ResponseWriter only in logging middleware

* Assume RequestScope is never nil
2021-03-06 17:27:16 +00:00
Stefan Sedich
220b3708fc
Add support for setting groups on session when using basic auth (#1064)
* Add support for setting groups on session when using basic auth

* Refactoring based on feedback

* Attribution
2021-02-25 13:02:23 -08:00
Joel Speed
23e545a639
Add option for custom logos on the sign in page 2021-02-19 13:23:55 +00:00
Sean Jones
a7c8a233ba
Add Prometheus metrics endpoint
Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.

Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy

Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
2021-02-15 13:45:26 +00:00
Joel Speed
6ecbc7bc4e
Allow users to choose detailed error messages on error pages 2021-02-12 21:12:28 +00:00
Joel Speed
84f76c6060
Move template options to their own struct 2021-02-12 16:55:51 +00:00