From 7404195c6ec4944a0c3e714af891c264d0bed92e Mon Sep 17 00:00:00 2001 From: Zadkiel Date: Wed, 13 Feb 2019 16:34:46 +0100 Subject: [PATCH 1/4] Add oidc-issuer-url arg to README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index deaa039..6432f5e 100644 --- a/README.md +++ b/README.md @@ -222,6 +222,7 @@ Usage of oauth2_proxy: -proxy-prefix string: the url root path that this proxy should be nested under (e.g. //sign_in) (default "/oauth2") -redeem-url string: Token redemption endpoint -redirect-url string: the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback" + -oidc-issuer-url: the OpenID Connect issuer URL. ie: "https://accounts.google.com" -request-logging: Log requests to stdout (default true) -request-logging-format: Template for request log lines (see "Logging Format" paragraph below) -resource string: The resource that is protected (Azure AD only) From da7d34051929347e106d74700445eda5abdd8575 Mon Sep 17 00:00:00 2001 From: Zadkiel Date: Wed, 13 Feb 2019 16:36:45 +0100 Subject: [PATCH 2/4] Reorder arg line --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6432f5e..522b766 100644 --- a/README.md +++ b/README.md @@ -212,6 +212,7 @@ Usage of oauth2_proxy: -http-address string: [http://]: or unix:// to listen on for HTTP clients (default "127.0.0.1:4180") -https-address string: : to listen on for HTTPS clients (default ":443") -login-url string: Authentication endpoint + -oidc-issuer-url: the OpenID Connect issuer URL. ie: "https://accounts.google.com" -pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header -pass-authorization-header: pass OIDC IDToken to upstream via Authorization Bearer header -pass-basic-auth: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true) @@ -222,7 +223,6 @@ Usage of oauth2_proxy: -proxy-prefix string: the url root path that this proxy should be nested under (e.g. //sign_in) (default "/oauth2") -redeem-url string: Token redemption endpoint -redirect-url string: the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback" - -oidc-issuer-url: the OpenID Connect issuer URL. ie: "https://accounts.google.com" -request-logging: Log requests to stdout (default true) -request-logging-format: Template for request log lines (see "Logging Format" paragraph below) -resource string: The resource that is protected (Azure AD only) From 2280b42f59036adb55083374fe86f904074f2d32 Mon Sep 17 00:00:00 2001 From: David Holsgrove Date: Fri, 22 Feb 2019 17:49:57 +1000 Subject: [PATCH 3/4] Access token forwarding through nginx auth request (#68) * Access token forwarding through nginx auth request Related to #420. (cherry picked from commit b138872beaaa7f47d43a1c0fef11a67f57e61eff) Signed-off-by: David Holsgrove * Improved documentation for auth request token (cherry picked from commit 6fab314f7203f4d652bb34247abb4e7cb497c41d) Signed-off-by: David Holsgrove * Update README.md Example should set header as `X-Access-Token` Co-Authored-By: davidholsgrove * Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68 * Fix Changelog message location --- CHANGELOG.md | 2 ++ README.md | 4 ++++ oauthproxy.go | 3 +++ 3 files changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b72f7c1..d98b209 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## Changes since v3.1.0 +- [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove) + # v3.1.0 ## Release highlights diff --git a/README.md b/README.md index 522b766..db39635 100644 --- a/README.md +++ b/README.md @@ -425,6 +425,10 @@ server { proxy_set_header X-User $user; proxy_set_header X-Email $email; + # if you enabled --pass-access-token, this will pass the token to the backend + auth_request_set $token $upstream_http_x_auth_request_access_token; + proxy_set_header X-Access-Token $token; + # if you enabled --cookie-refresh, this is needed for it to work with auth_request auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; diff --git a/oauthproxy.go b/oauthproxy.go index ab70686..68b1522 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -880,6 +880,9 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int if session.Email != "" { rw.Header().Set("X-Auth-Request-Email", session.Email) } + if p.PassAccessToken && session.AccessToken != "" { + rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken) + } } if p.PassAccessToken && session.AccessToken != "" { req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken} From 1c16c2c055bcd442c5c4f0fa6d4a85fd5d053a20 Mon Sep 17 00:00:00 2001 From: Fabian Holler Date: Mon, 25 Feb 2019 10:37:05 +0100 Subject: [PATCH 4/4] build: fix: configure fails if GOPATH environment variable not set If the GOPATH enviroment variable was not set, go uses the default GOPATH (~/go/). The configure script was only checking if the GOPATH environment is set. If it wasn't the script was failing. Instead of checking if the GOPATH environment variable is set, check if "go env GOPATH" returns a non-emtpy string. --- configure | 1 + 1 file changed, 1 insertion(+) diff --git a/configure b/configure index 499ae23..0e13959 100755 --- a/configure +++ b/configure @@ -106,6 +106,7 @@ check_docker_version() { check_go_env() { echo -n "Checking \$GOPATH... " + GOPATH="$(go env GOPATH)" if [ -z "$GOPATH" ]; then printf "${RED}invalid${NC} - GOPATH not set\n" exit 1