ce750e9b30
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain. Signed-off-by: Valentin Pichard <github@w3st.fr> * Fix provider data initialisation * PKCE Support Adds Code Challenge PKCE support (RFC-7636) and partial Authorization Server Metadata (RFC-8414) for detecting PKCE support. - Introduces new option `--force-code-challenge-method` to force a specific code challenge method (either `S256` or `plain`) for instances when the server has not implemented RFC-8414 in order to detect PKCE support on the discovery document. - In all other cases, if the PKCE support can be determined during discovery then the `code_challenge_methods_supported` is used and S256 is always preferred. - The force command line argument is helpful with some providers like Azure who supports PKCE but does not list it in their discovery document yet. - Initial thought was given to just always attempt PKCE since according to spec additional URL parameters should be dropped by servers which implemented OAuth 2, however other projects found cases in the wild where this causes 500 errors by buggy implementations. See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810 - Due to the fact that the `code_verifier` must be saved between the redirect and callback, sessions are now created when the redirect takes place with `Authenticated: false`. The session will be recreated and marked as `Authenticated` on callback. - Individual provider implementations can choose to include or ignore code_challenge and code_verifier function parameters passed to them Note: Technically speaking `plain` is not required to be implemented since oauth2-proxy will always be able to handle S256 and servers MUST implement S256 support. > If the client is capable of using "S256", it MUST use "S256", as "S256" > is Mandatory To Implement (MTI) on the server. Clients are permitted > to use "plain" only if they cannot support "S256" for some technical > reason and know via out-of-band configuration that the server supports > "plain". Ref: RFC-7636 Sec 4.2 oauth2-proxy will always use S256 unless the user explicitly forces `plain`. Fixes #1361 * Address PR comments by moving pkce generation * Make PKCE opt-in, move to using the Nonce generater for code verifier * Make PKCE opt-in, move to using the Nonce generater for code verifier * Encrypt CodeVerifier in CSRF Token instead of Session - Update Dex for PKCE support - Expose HTTPBin for further use cases * Correct the tests * Move code challenges into extra params * Correct typo in code challenge method Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Correct the extra space in docs Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address changelog and new line nits * Add generated docs Co-authored-by: Valentin Pichard <github@w3st.fr> Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk> |
||
|---|---|---|
| .github | ||
| contrib | ||
| docs | ||
| pkg | ||
| providers | ||
| testdata | ||
| tools | ||
| .dockerignore | ||
| .gitignore | ||
| .golangci.yml | ||
| CHANGELOG.md | ||
| CONTRIBUTING.md | ||
| dist.sh | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main_suite_test.go | ||
| main_test.go | ||
| main.go | ||
| MAINTAINERS | ||
| Makefile | ||
| nsswitch.conf | ||
| oauthproxy_test.go | ||
| oauthproxy.go | ||
| README.md | ||
| RELEASE.md | ||
| SECURITY.md | ||
| validator_test.go | ||
| validator.go | ||
| version.go | ||
| watcher_unsupported.go | ||
| watcher.go | ||
A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.
Note: This repository was forked from bitly/OAuth2_Proxy on 27/11/2018. Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork. A list of changes can be seen in the CHANGELOG.
Note: This project was formerly hosted as pusher/oauth2_proxy but has been renamed as of 29/03/2020 to oauth2-proxy/oauth2-proxy.
Going forward, all images shall be available at quay.io/oauth2-proxy/oauth2-proxy and binaries will be named oauth2-proxy.
Installation
-
Choose how to deploy:
a. Download Prebuilt Binary (current release is
v7.2.1)b. Build with
$ go get github.com/oauth2-proxy/oauth2-proxy/v7which will put the binary in$GOROOT/binc. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, PPC64LE, ARMv6 and ARM64 tags available)
Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.
sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK
- Select a Provider and Register an OAuth Application with a Provider
- Configure OAuth2 Proxy using config file, command line options, or environment variables
- Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
Security
If you are running a version older than v6.0.0 we strongly recommend you please update to a current version. See open redirect vulnerability for details.
Docs
Read the docs on our Docs site.
Getting Involved
If you would like to reach out to the maintainers, come talk to us in the #oauth2-proxy channel in the Gophers slack.
Contributing
Please see our Contributing guidelines. For releasing see our release creation guide.