Merge branch 'master' into keycloak-provider

2019-08-17 08:10:37 +01:00 · 2019-08-17 08:10:37 +01:00 · 71dfd44149
parent 436936836d d00c14a2a7
commit 71dfd44149
23 changed files with 1131 additions and 380 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -10,3 +10,7 @@
 # or the public devops channel at https://chat.18f.gov/).
 providers/logingov.go @timothy-spencer
 providers/logingov_test.go @timothy-spencer
 # Bitbucket provider
 providers/bitbucket.go @aledeganopix4d
 providers/bitbucket_test.go @aledeganopix4d
--- a/.travis.yml
+++ b/.travis.yml
@ -3,10 +3,8 @@ go:
  - 1.12.x
 install:
  # Fetch dependencies
  - wget -O dep https://github.com/golang/dep/releases/download/v0.5.0/dep-linux-amd64
  - chmod +x dep
  - mv dep $GOPATH/bin/dep
  - curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $GOPATH/bin v1.17.1
  - GO111MODULE=on go mod download
 script:
  - ./configure && make test
 sudo: false
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,7 +1,28 @@
 # Vx.x.x (Pre-release)
 ## Changes since v4.0.0
 - [#226](https://github.com/pusher/oauth2_proxy/pull/227) Add Keycloak provider (@Ofinka)
 # v4.0.0
 ## Release Highlights
 - Documentation is now on a [microsite](https://pusher.github.io/oauth2_proxy/)
 - Health check logging can now be disabled for quieter logs
 - Authorization Header JWTs can now be verified by the proxy to skip authentication for machine users
 - Sessions can now be stored in Redis. This reduces refresh failures and uses smaller cookies (Recommended for those using OIDC refreshing)
 - Logging overhaul allows customisable logging formats
 ## Important Notes
 - This release includes a number of breaking changes that will require users to
 reconfigure their proxies. Please read the Breaking Changes below thoroughly.
 ## Breaking Changes
 - [#231](https://github.com/pusher/oauth2_proxy/pull/231) Rework GitLab provider
  - This PR changes the configuration options for the GitLab provider to use
  a self-hosted instance. You now need to specify a `-oidc-issuer-url` rather than
  explicit `-login-url`, `-redeem-url` and `-validate-url` parameters.
 - [#186](https://github.com/pusher/oauth2_proxy/pull/186) Make config consistent
  - This PR changes configuration options so that all flags have a config counterpart
  of the same name but with underscores (`_`) in place of hyphens (`-`).
@ -18,8 +39,7 @@
  This change affects the following existing environment variables:
  - The `OAUTH2_SKIP_OIDC_DISCOVERY` environment variable is now `OAUTH2_PROXY_SKIP_OIDC_DISCOVERY`.
  - The `OAUTH2_OIDC_JWKS_URL` environment variable is now `OAUTH2_PROXY_OIDC_JWKS_URL`.
-
+- [#146](https://github.com/pusher/oauth2_proxy/pull/146) Use full email address as `User` if the auth response did not contain a `User` field
 - [#146](https://github.com/pusher/oauth2_proxy/pull/146) Use full email address as `User` if the auth response did not contain a `User` field (@gargath)
  - This change modifies the contents of the `X-Forwarded-User` header supplied by the proxy for users where the auth response from the IdP did not contain
    a username.
    In that case, this header used to only contain the local part of the user's email address (e.g. `john.doe` for `john.doe@example.com`) but now contains
@ -31,19 +51,24 @@
 ## Changes since v3.2.0
 - [#226](https://github.com/pusher/oauth2_proxy/pull/227) Add Keycloak provider (@Ofinka)
 - [#178](https://github.com/pusher/outh2_proxy/pull/178) Add Silence Ping Logging and Exclude Logging Paths flags (@kskewes)
 - [#209](https://github.com/pusher/outh2_proxy/pull/209) Improve docker build caching of layers (@dekimsey)
 - [#234](https://github.com/pusher/oauth2_proxy/pull/234) Added option `-ssl-upstream-insecure-skip-validation` to skip validation of upstream SSL certificates (@jansinger)
 - [#224](https://github.com/pusher/oauth2_proxy/pull/224) Check Google group membership using hasMember to support nested groups and external users (@jpalpant)
 - [#231](https://github.com/pusher/oauth2_proxy/pull/231) Add optional group membership and email domain checks to the GitLab provider (@Overv)
 - [#226](https://github.com/pusher/oauth2_proxy/pull/226) Made setting of proxied headers deterministic based on configuration alone (@aeijdenberg)
 - [#178](https://github.com/pusher/oauth2_proxy/pull/178) Add Silence Ping Logging and Exclude Logging Paths flags (@kskewes)
 - [#209](https://github.com/pusher/oauth2_proxy/pull/209) Improve docker build caching of layers (@dekimsey)
 - [#186](https://github.com/pusher/oauth2_proxy/pull/186) Make config consistent (@JoelSpeed)
 - [#187](https://github.com/pusher/oauth2_proxy/pull/187) Move root packages to pkg folder (@JoelSpeed)
 - [#65](https://github.com/pusher/oauth2_proxy/pull/65) Improvements to authenticate requests with a JWT bearer token in the `Authorization` header via
-  the `-skip-jwt-bearer-token` options.
+  the `-skip-jwt-bearer-token` options. (@brianv0)
  - Additional verifiers can be configured via the `-extra-jwt-issuers` flag if the JWT issuers is either an OpenID provider or has a JWKS URL
  (e.g. `https://example.com/.well-known/jwks.json`).
- [#180](https://github.com/pusher/outh2_proxy/pull/180) Minor refactor of core proxying path (@aeijdenberg).
+- [#180](https://github.com/pusher/oauth2_proxy/pull/180) Minor refactor of core proxying path (@aeijdenberg).
- [#175](https://github.com/pusher/outh2_proxy/pull/175) Bump go-oidc to v2.0.0 (@aeijdenberg).
+- [#175](https://github.com/pusher/oauth2_proxy/pull/175) Bump go-oidc to v2.0.0 (@aeijdenberg).
  - Includes fix for potential signature checking issue when OIDC discovery is skipped.
- [#155](https://github.com/pusher/outh2_proxy/pull/155) Add RedisSessionStore implementation (@brianv0, @JoelSpeed)
+- [#155](https://github.com/pusher/oauth2_proxy/pull/155) Add RedisSessionStore implementation (@brianv0, @JoelSpeed)
  - Implement flags to configure the redis session store
    - `-session-store-type=redis` Sets the store type to redis
    - `-redis-connection-url` Sets the Redis connection URL
@ -53,10 +78,10 @@
  - Introduces the concept of a session ticket. Tickets are composed of the cookie name, a session ID, and a secret.
  - Redis Sessions are stored encrypted with a per-session secret
  - Added tests for server based session stores
- [#168](https://github.com/pusher/outh2_proxy/pull/168) Drop Go 1.11 support in Travis (@JoelSpeed)
+- [#168](https://github.com/pusher/oauth2_proxy/pull/168) Drop Go 1.11 support in Travis (@JoelSpeed)
- [#169](https://github.com/pusher/outh2_proxy/pull/169) Update Alpine to 3.9 (@kskewes)
+- [#169](https://github.com/pusher/oauth2_proxy/pull/169) Update Alpine to 3.9 (@kskewes)
- [#148](https://github.com/pusher/outh2_proxy/pull/148) Implement SessionStore interface within proxy (@JoelSpeed)
+- [#148](https://github.com/pusher/oauth2_proxy/pull/148) Implement SessionStore interface within proxy (@JoelSpeed)
- [#147](https://github.com/pusher/outh2_proxy/pull/147) Add SessionStore interfaces and initial implementation (@JoelSpeed)
+- [#147](https://github.com/pusher/oauth2_proxy/pull/147) Add SessionStore interfaces and initial implementation (@JoelSpeed)
  - Allows for multiple different session storage implementations including client and server side
  - Adds tests suite for interface to ensure consistency across implementations
  - Refactor some configuration options (around cookies) into packages
@ -78,17 +103,21 @@
  - Implement two new flags to customize the logging format
    - `-standard-logging-format` Sets the format for standard logging
    - `-auth-logging-format` Sets the format for auth logging
 - [#111](https://github.com/pusher/oauth2_proxy/pull/111) Add option for telling where to find a login.gov JWT key file (@timothy-spencer)
 - [#170](https://github.com/pusher/oauth2_proxy/pull/170) Restore binary tarball contents to be compatible with bitlys original tarballs (@zeha)
 - [#185](https://github.com/pusher/oauth2_proxy/pull/185) Fix an unsupported protocol scheme error during token validation when using the Azure provider (@jonas)
 - [#141](https://github.com/pusher/oauth2_proxy/pull/141) Check google group membership based on email address (@bchess)
  - Google Group membership is additionally checked via email address, allowing users outside a GSuite domain to be authorized.
- [#195](https://github.com/pusher/outh2_proxy/pull/195) Add `-banner` flag for overriding the banner line that is displayed (@steakunderscore)
+- [#195](https://github.com/pusher/oauth2_proxy/pull/195) Add `-banner` flag for overriding the banner line that is displayed (@steakunderscore)
- [#198](https://github.com/pusher/outh2_proxy/pull/198) Switch from gometalinter to golangci-lint (@steakunderscore)
+- [#198](https://github.com/pusher/oauth2_proxy/pull/198) Switch from gometalinter to golangci-lint (@steakunderscore)
- [#159](https://github.com/pusher/oauth2_proxy/pull/159) Add option to skip the OIDC provider verified email check: `--insecure-oidc-allow-unverified-email`
+- [#159](https://github.com/pusher/oauth2_proxy/pull/159) Add option to skip the OIDC provider verified email check: `--insecure-oidc-allow-unverified-email` (@djfinlay)
 - [#210](https://github.com/pusher/oauth2_proxy/pull/210) Update base image from Alpine 3.9 to 3.10 (@steakunderscore)
 - [#201](https://github.com/pusher/oauth2_proxy/pull/201) Add Bitbucket as new OAuth2 provider, accepts email, team and repository permissions to determine authorization (@aledeganopix4d)
  - Implement flags to enable Bitbucket authentication:
    - `-bitbucket-repository` Restrict authorization to users that can access this repository
    - `-bitbucket-team` Restrict authorization to users that are part of this Bitbucket team
 - [#211](https://github.com/pusher/oauth2_proxy/pull/211) Switch from dep to go modules (@steakunderscore)
 - [#145](https://github.com/pusher/oauth2_proxy/pull/145) Add support for OIDC UserInfo endpoint email verification (@rtluckie)
 # v3.2.0
--- a/README.md
+++ b/README.md
@ -15,7 +15,7 @@ A list of changes can be seen in the [CHANGELOG](CHANGELOG.md).
 1.  Choose how to deploy:
-    a. Download [Prebuilt Binary](https://github.com/pusher/oauth2_proxy/releases) (current release is `v3.2.0`)
+    a. Download [Prebuilt Binary](https://github.com/pusher/oauth2_proxy/releases) (current release is `v4.0.0`)
    b. Build with `$ go get github.com/pusher/oauth2_proxy` which will put the binary in `$GOROOT/bin`
@ -25,7 +25,7 @@ Prebuilt binaries can be validated by extracting the file and verifying it again
 ```
 sha256sum -c sha256sum.txt 2>&1 | grep OK
-oauth2_proxy-3.2.0.linux-amd64: OK
+oauth2_proxy-4.0.0.linux-amd64: OK
 ```
 2.  [Select a Provider and Register an OAuth Application with a Provider](https://pusher.github.io/oauth2_proxy/auth-configuration)
@ -38,6 +38,10 @@ Read the docs on our [Docs site](https://pusher.github.io/oauth2_proxy).
 ![OAuth2 Proxy Architecture](https://cloud.githubusercontent.com/assets/45028/8027702/bd040b7a-0d6a-11e5-85b9-f8d953d04f39.png)
 ## Getting Involved
 If you would like to reach out to the maintainers, come talk to us in the `#oauth2_proxy` channel in the [Gophers slack](http://gophers.slack.com/).
 ## Contributing
 Please see our [Contributing](CONTRIBUTING.md) guidelines.
--- a/docs/0_index.md
+++ b/docs/0_index.md
@ -12,7 +12,7 @@ to validate accounts by email, domain or group.
 **Note:** This repository was forked from [bitly/OAuth2_Proxy](https://github.com/bitly/oauth2_proxy) on 27/11/2018.
 Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork.
-A list of changes can be seen in the [CHANGELOG](CHANGELOG.md).
+A list of changes can be seen in the [CHANGELOG]({{ site.gitweb }}/CHANGELOG.md).
 [![Build Status](https://secure.travis-ci.org/pusher/oauth2_proxy.svg?branch=master)](http://travis-ci.org/pusher/oauth2_proxy)
@ -20,4 +20,4 @@ A list of changes can be seen in the [CHANGELOG](CHANGELOG.md).
 ## Architecture
-![OAuth2 Proxy Architecture](https://cloud.githubusercontent.com/assets/45028/8027702/bd040b7a-0d6a-11e5-85b9-f8d953d04f39.png)
+![OAuth2 Proxy Architecture](https://cloud.githubusercontent.com/assets/45028/8027702/bd040b7a-0d6a-11e5-85b9-f8d953d04f39.png)
--- a/docs/2_auth.md
+++ b/docs/2_auth.md
@ -118,13 +118,15 @@ Make sure you set the following to the appropriate url:
 ### GitLab Auth Provider
-Whether you are using GitLab.com or self-hosting GitLab, follow [these steps to add an application](http://doc.gitlab.com/ce/integration/oauth_provider.html)
+Whether you are using GitLab.com or self-hosting GitLab, follow [these steps to add an application](https://docs.gitlab.com/ce/integration/oauth_provider.html). Make sure to enable at least the `openid`, `profile` and `email` scopes.
 Restricting by group membership is possible with the following option:
    -gitlab-group="": restrict logins to members of any of these groups (slug), separated by a comma
 If you are using self-hosted GitLab, make sure you set the following to the appropriate URL:
-    -login-url="<your gitlab url>/oauth/authorize"
+    -oidc-issuer-url="<your gitlab url>"
    -redeem-url="<your gitlab url>/oauth/token"
    -validate-url="<your gitlab url>/api/v4/user"
 ### LinkedIn Auth Provider
@ -139,7 +141,7 @@ For LinkedIn, the registration steps are:
 ### Microsoft Azure AD Provider
-For adding an application to the Microsoft Azure AD follow [these steps to add an application](https://azure.microsoft.com/en-us/documentation/articles/active-directory-integrating-applications/).
+For adding an application to the Microsoft Azure AD follow [these steps to add an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app).
 Take note of your `TenantId` if applicable for your situation. The `TenantId` can be used to override the default `common` authorization server with a tenant specific server.
@ -159,6 +161,56 @@ OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many ma
    -cookie-secure=false
    -email-domain example.com
 The OpenID Connect Provider (OIDC) can also be used to connect to other Identity Providers such as Okta. To configure the OIDC provider for Okta, perform
 the following steps:
 #### Configuring the OIDC Provider with Okta
 1. Log in to Okta using an administrative account. It is suggested you try this in preview first, `example.oktapreview.com`
 2. (OPTIONAL) If you want to configure authorization scopes and claims to be passed on to multiple applications,
 you may wish to configure an authorization server for each application. Otherwise, the provided `default` will work.
 * Navigate to **Security** then select **API**
 * Click **Add Authorization Server**, if this option is not available you may require an additional license for a custom authorization server.
 * Fill out the **Name** with something to describe the application you are protecting. e.g. 'Example App'.
 * For **Audience**, pick the URL of the application you wish to protect: https://example.corp.com
 * Fill out a **Description**
 * Add any **Access Policies** you wish to configure to limit application access.
 * The default settings will work for other options.
 [See Okta documentation for more information on Authorization Servers](https://developer.okta.com/docs/guides/customize-authz-server/overview/)
 3. Navigate to **Applications** then select **Add Application**.
 * Select **Web** for the **Platform** setting.
 * Select **OpenID Connect** and click **Create**
 * Pick an **Application Name** such as `Example App`.
 * Set the **Login redirect URI** to `https://example.corp.com`.
 * Under **General** set the **Allowed grant types** to `Authorization Code` and `Refresh Token`.
 * Leave the rest as default, taking note of the `Client ID` and `Client Secret`.
 * Under **Assignments** select the users or groups you wish to access your application.
 4. Create a configuration file like the following:
 ```
 provider = "oidc"
 redirect_url = "https://example.corp.com"
 oidc_issuer_url = "https://corp.okta.com/oauth2/abCd1234"
 upstreams = [
    "https://example.corp.com"
 ]
 email_domains = [
    "corp.com"
 ]
 client_id = "XXXXX"
 client_secret = "YYYYY"
 pass_access_token = true
 cookie_secret = "ZZZZZ"
 skip_provider_button = true
 ```
 The `oidc_issuer_url` is based on URL from your **Authorization Server**'s **Issuer** field in step 2, or simply https://corp.okta.com
 The `client_id` and `client_secret` are configured in the application settings.
 Generate a unique `client_secret` to encrypt the cookie.
 Then you can start the oauth2_proxy with `./oauth2_proxy -config /etc/example.cfg`
 ### login.gov Provider
 login.gov is an OIDC provider for the US Government.
@ -240,7 +292,7 @@ To authorize by email domain use `--email-domain=yourcompany.com`. To authorize
 ## Adding a new Provider
-Follow the examples in the [`providers` package](providers/) to define a new
+Follow the examples in the [`providers` package]({{ site.gitweb }}/providers/) to define a new
 `Provider` instance. Add a new `case` to
-[`providers.New()`](providers/providers.go) to allow `oauth2_proxy` to use the
+[`providers.New()`]({{ site.gitweb }}/providers/providers.go) to allow `oauth2_proxy` to use the
 new `Provider`.
--- a/docs/4_tls.md
+++ b/docs/4_tls.md
@ -11,63 +11,63 @@ There are two recommended configurations.
 1.  Configure SSL Termination with OAuth2 Proxy by providing a `--tls-cert-file=/path/to/cert.pem` and `--tls-key-file=/path/to/cert.key`.
-The command line to run `oauth2_proxy` in this configuration would look like this:
+    The command line to run `oauth2_proxy` in this configuration would look like this:
-```bash
+    ```bash
-./oauth2_proxy \
+    ./oauth2_proxy \
-   --email-domain="yourcompany.com"  \
+        --email-domain="yourcompany.com"  \
-   --upstream=http://127.0.0.1:8080/ \
+        --upstream=http://127.0.0.1:8080/ \
-   --tls-cert-file=/path/to/cert.pem \
+        --tls-cert-file=/path/to/cert.pem \
-   --tls-key-file=/path/to/cert.key \
+        --tls-key-file=/path/to/cert.key \
-   --cookie-secret=... \
+        --cookie-secret=... \
-   --cookie-secure=true \
+        --cookie-secure=true \
-   --provider=... \
+        --provider=... \
-   --client-id=... \
+        --client-id=... \
-   --client-secret=...
+        --client-secret=...
-```
+    ```
 2.  Configure SSL Termination with [Nginx](http://nginx.org/) (example config below), Amazon ELB, Google Cloud Platform Load Balancing, or ....
-Because `oauth2_proxy` listens on `127.0.0.1:4180` by default, to listen on all interfaces (needed when using an
+    Because `oauth2_proxy` listens on `127.0.0.1:4180` by default, to listen on all interfaces (needed when using an
-external load balancer like Amazon ELB or Google Platform Load Balancing) use `--http-address="0.0.0.0:4180"` or
+    external load balancer like Amazon ELB or Google Platform Load Balancing) use `--http-address="0.0.0.0:4180"` or
-`--http-address="http://:4180"`.
+    `--http-address="http://:4180"`.
-Nginx will listen on port `443` and handle SSL connections while proxying to `oauth2_proxy` on port `4180`.
+    Nginx will listen on port `443` and handle SSL connections while proxying to `oauth2_proxy` on port `4180`.
-`oauth2_proxy` will then authenticate requests for an upstream application. The external endpoint for this example
+    `oauth2_proxy` will then authenticate requests for an upstream application. The external endpoint for this example
-would be `https://internal.yourcompany.com/`.
+    would be `https://internal.yourcompany.com/`.
-An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL
+    An example Nginx config follows. Note the use of `Strict-Transport-Security` header to pin requests to SSL
-via [HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):
+    via [HSTS](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security):
-```
+    ```
-server {
+    server {
-    listen 443 default ssl;
+        listen 443 default ssl;
-    server_name internal.yourcompany.com;
+        server_name internal.yourcompany.com;
-    ssl_certificate /path/to/cert.pem;
+        ssl_certificate /path/to/cert.pem;
-    ssl_certificate_key /path/to/cert.key;
+        ssl_certificate_key /path/to/cert.key;
-    add_header Strict-Transport-Security max-age=2592000;
+        add_header Strict-Transport-Security max-age=2592000;
-    location / {
+        location / {
-        proxy_pass http://127.0.0.1:4180;
+            proxy_pass http://127.0.0.1:4180;
-        proxy_set_header Host $host;
+            proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Scheme $scheme;
+            proxy_set_header X-Scheme $scheme;
-        proxy_connect_timeout 1;
+            proxy_connect_timeout 1;
-        proxy_send_timeout 30;
+            proxy_send_timeout 30;
-        proxy_read_timeout 30;
+            proxy_read_timeout 30;
        }
    }
-}
+    ```
 ```
-The command line to run `oauth2_proxy` in this configuration would look like this:
+    The command line to run `oauth2_proxy` in this configuration would look like this:
-```bash
+    ```bash
-./oauth2_proxy \
+    ./oauth2_proxy \
-   --email-domain="yourcompany.com"  \
+       --email-domain="yourcompany.com"  \
-   --upstream=http://127.0.0.1:8080/ \
+       --upstream=http://127.0.0.1:8080/ \
-   --cookie-secret=... \
+       --cookie-secret=... \
-   --cookie-secure=true \
+       --cookie-secure=true \
-   --provider=... \
+       --provider=... \
-   --client-id=... \
+       --client-id=... \
-   --client-secret=...
+       --client-secret=...
-```
+    ```
--- a/docs/6_request_signatures.md
+++ b/docs/6_request_signatures.md
@ -11,7 +11,7 @@ If `signature_key` is defined, proxied requests will be signed with the
 `GAP-Signature` header, which is a [Hash-based Message Authentication Code
 (HMAC)](https://en.wikipedia.org/wiki/Hash-based_message_authentication_code)
 of selected request information and the request body [see `SIGNATURE_HEADERS`
-in `oauthproxy.go`](./oauthproxy.go).
+in `oauthproxy.go`]({{ site.gitweb }}/oauthproxy.go).
 `signature_key` must be of the form `algorithm:secretkey`, (ie: `signature_key = "sha1:secret0"`)
--- a/docs/_config.yml
+++ b/docs/_config.yml
@ -18,6 +18,7 @@ description: >- # this means to ignore newlines until "baseurl:"
  OAuth2_Proxy documentation site
 baseurl: "/oauth2_proxy" # the subpath of your site, e.g. /blog
 url: "https://pusher.github.io" # the base hostname & protocol for your site, e.g. http://example.com
 gitweb: "https://github.com/pusher/oauth2_proxy/blob/master"
 # Build settings
 markdown: kramdown
--- a/docs/configuration/configuration.md
+++ b/docs/configuration/configuration.md
@ -14,100 +14,101 @@ To generate a strong cookie secret use `python -c 'import os,base64; print base6
 ### Config File
-An example [oauth2_proxy.cfg](contrib/oauth2_proxy.cfg.example) config file is in the contrib directory. It can be used by specifying `-config=/etc/oauth2_proxy.cfg`
+An example [oauth2_proxy.cfg]({{ site.gitweb }}/contrib/oauth2_proxy.cfg.example) config file is in the contrib directory. It can be used by specifying `-config=/etc/oauth2_proxy.cfg`
 ### Command Line Options
-```
+| Option | Type | Description | Default |
-Usage of oauth2_proxy:
+| ------ | ---- | ----------- | ------- |
-  -acr-values string:  optional, used by login.gov (default "http://idmanagement.gov/ns/assurance/loa/1")
+| `-acr-values` | string | optional, used by login.gov | `"http://idmanagement.gov/ns/assurance/loa/1"` |
-  -approval-prompt string: OAuth approval_prompt (default "force")
+| `-approval-prompt` | string | OAuth approval_prompt | `"force"` |
-  -auth-logging: Log authentication attempts (default true)
+| `-auth-logging` | bool | Log authentication attempts | true |
-  -auth-logging-format string: Template for authentication log lines (see "Logging Configuration" paragraph below)
+| `-auth-logging-format` | string | Template for authentication log lines | see [Logging Configuration](#logging-configuration) |
-  -authenticated-emails-file string: authenticate against emails via file (one per line)
+| `-authenticated-emails-file` | string | authenticate against emails via file (one per line) | |
-  -azure-tenant string: go to a tenant-specific or common (tenant-independent) endpoint. (default "common")
+| `-azure-tenant string` | string | go to a tenant-specific or common (tenant-independent) endpoint. | `"common"` |
-  -basic-auth-password string: the password to set when passing the HTTP Basic Auth header
+| `-basic-auth-password` | string | the password to set when passing the HTTP Basic Auth header | |
-  -client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com"
+| `-client-id` | string | the OAuth Client ID: ie: `"123456.apps.googleusercontent.com"` | |
-  -client-secret string: the OAuth Client Secret
+| `-client-secret` | string | the OAuth Client Secret | |
-  -config string: path to config file
+| `-config` | string | path to config file | |
-  -cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)
+| `-cookie-domain` | string | an optional cookie domain to force cookies to (ie: `.yourcompany.com`) | |
-  -cookie-expire duration: expire timeframe for cookie (default 168h0m0s)
+| `-cookie-expire` | duration | expire timeframe for cookie | 168h0m0s |
-  -cookie-httponly: set HttpOnly cookie flag (default true)
+| `-cookie-httponly` | bool | set HttpOnly cookie flag | true |
-  -cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")
+| `-cookie-name` | string | the name of the cookie that the oauth_proxy creates | `"_oauth2_proxy"` |
-  -cookie-path string: an optional cookie path to force cookies to (ie: /poc/)* (default "/")
+| `-cookie-path` | string | an optional cookie path to force cookies to (ie: `/poc/`) | `"/"` |
-  -cookie-refresh duration: refresh the cookie after this duration; 0 to disable
+| `-cookie-refresh` | duration | refresh the cookie after this duration; `0` to disable | |
-  -cookie-secret string: the seed string for secure cookies (optionally base64 encoded)
+| `-cookie-secret` | string | the seed string for secure cookies (optionally base64 encoded) | |
-  -cookie-secure: set secure (HTTPS) cookie flag (default true)
+| `-cookie-secure` | bool | set secure (HTTPS) cookie flag | true |
-  -custom-templates-dir string: path to custom html templates
+| `-custom-templates-dir` | string | path to custom html templates | |
-  -display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true)
+| `-display-htpasswd-form` | bool | display username / password login form if an htpasswd file is provided | true |
-  -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
+| `-email-domain` | string | authenticate emails with the specified domain (may be given multiple times). Use `*` to authenticate any email | |
-  -extra-jwt-issuers: if -skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)
+| `-extra-jwt-issuers` | string | if `-skip-jwt-bearer-tokens` is set, a list of extra JWT `issuer=audience` pairs (where the issuer URL has a `.well-known/openid-configuration` or a `.well-known/jwks.json`) | |
-  -exclude-logging-paths: comma separated list of paths to exclude from logging, eg: "/ping,/path2" (default "" = no paths excluded)
+| `-exclude-logging-paths` | string | comma separated list of paths to exclude from logging, eg: `"/ping,/path2"` |`""` (no paths excluded) |
-  -flush-interval: period between flushing response buffers when streaming responses (default "1s")
+| `-flush-interval` | duration | period between flushing response buffers when streaming responses | `"1s"` |
-  -banner string: custom banner string. Use "-" to disable default banner.
+| `-banner` | string | custom banner string. Use `"-"` to disable default banner. | |
-  -footer string: custom footer string. Use "-" to disable default footer.
+| `-footer` | string | custom footer string. Use `"-"` to disable default footer. | |
-  -gcp-healthchecks: will enable /liveness_check, /readiness_check, and / (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses (default false)
+| `-gcp-healthchecks` | bool | will enable `/liveness_check`, `/readiness_check`, and `/` (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses | false |
-  -github-org string: restrict logins to members of this organisation
+| `-github-org` | string | restrict logins to members of this organisation | |
-  -github-team string: restrict logins to members of any of these teams (slug), separated by a comma
+| `-github-team` | string | restrict logins to members of any of these teams (slug), separated by a comma | |
-  -google-admin-email string: the google admin to impersonate for api calls
+| `-gitlab-group` | string | restrict logins to members of any of these groups (slug), separated by a comma | |
-  -google-group value: restrict logins to members of this google group (may be given multiple times).
+| `-google-admin-email` | string | the google admin to impersonate for api calls | |
-  -google-service-account-json string: the path to the service account json credentials
+| `-google-group` | string | restrict logins to members of this google group (may be given multiple times). | |
-  -htpasswd-file string: additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
+| `-google-service-account-json` | string | the path to the service account json credentials | |
-  -http-address string: [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients (default "127.0.0.1:4180")
+| `-htpasswd-file` | string | additionally authenticate against a htpasswd file. Entries must be created with `htpasswd -s` for SHA encryption | |
-  -https-address string: <addr>:<port> to listen on for HTTPS clients (default ":443")
+| `-http-address` | string | `[http://]<addr>:<port>` or `unix://<path>` to listen on for HTTP clients | `"127.0.0.1:4180"` |
-  -logging-compress: Should rotated log files be compressed using gzip (default false)
+| `-https-address` | string | `<addr>:<port>` to listen on for HTTPS clients | `":443"` |
-  -logging-filename string: File to log requests to, empty for stdout (default to stdout)
+| `-logging-compress` | bool | Should rotated log files be compressed using gzip | false |
-  -logging-local-time: If the time in log files and backup filenames are local or UTC time (default true)
+| `-logging-filename` | string | File to log requests to, empty for `stdout` | `""` (stdout) |
-  -logging-max-age int: Maximum number of days to retain old log files (default 7)
+| `-logging-local-time` | bool | Use local time in log files and backup filenames instead of UTC | true (local time) |
-  -logging-max-backups int: Maximum number of old log files to retain; 0 to disable (default 0)
+| `-logging-max-age` | int | Maximum number of days to retain old log files | 7 |
-  -logging-max-size int: Maximum size in megabytes of the log file before rotation (default 100)
+| `-logging-max-backups` | int | Maximum number of old log files to retain; 0 to disable | 0  |
-  -jwt-key string: private key in PEM format used to sign JWT, so that you can say something like -jwt-key="${OAUTH2_PROXY_JWT_KEY}": required by login.gov
+| `-logging-max-size` | int | Maximum size in megabytes of the log file before rotation | 100 |
-  -jwt-key-file string: path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov
+| `-jwt-key` | string | private key in PEM format used to sign JWT, so that you can say something like `-jwt-key="${OAUTH2_PROXY_JWT_KEY}"`: required by login.gov | |
-  -login-url string: Authentication endpoint
+| `-jwt-key-file` | string | path to the private key file in PEM format used to sign the JWT so that you can say something like `-jwt-key-file=/etc/ssl/private/jwt_signing_key.pem`: required by login.gov | |
-  -insecure-oidc-allow-unverified-email: don't fail if an email address in an id_token is not verified
+| `-login-url` | string | Authentication endpoint | |
-  -oidc-issuer-url: the OpenID Connect issuer URL. ie: "https://accounts.google.com"
+| `-insecure-oidc-allow-unverified-email` | bool | don't fail if an email address in an id_token is not verified | false |
-  -oidc-jwks-url string: OIDC JWKS URI for token verification; required if OIDC discovery is disabled
+| `-oidc-issuer-url` | string | the OpenID Connect issuer URL. ie: `"https://accounts.google.com"` | |
-  -pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
+| `-oidc-jwks-url` | string | OIDC JWKS URI for token verification; required if OIDC discovery is disabled | |
-  -pass-authorization-header: pass OIDC IDToken to upstream via Authorization Bearer header
+| `-pass-access-token` | bool | pass OAuth access_token to upstream via X-Forwarded-Access-Token header | false |
-  -pass-basic-auth: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
+| `-pass-authorization-header` | bool | pass OIDC IDToken to upstream via Authorization Bearer header | false |
-  -pass-host-header: pass the request Host Header to upstream (default true)
+| `-pass-basic-auth` | bool | pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream | true |
-  -pass-user-headers: pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
+| `-pass-host-header` | bool | pass the request Host Header to upstream | true |
-  -profile-url string: Profile access endpoint
+| `-pass-user-headers` | bool | pass X-Forwarded-User and X-Forwarded-Email information to upstream | true |
-  -provider string: OAuth provider (default "google")
+| `-profile-url` | string | Profile access endpoint | |
-  -ping-path string: the ping endpoint that can be used for basic health checks (default "/ping")
+| `-provider` | string | OAuth provider | google |
-  -proxy-prefix string: the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in) (default "/oauth2")
+| `-ping-path` | string | the ping endpoint that can be used for basic health checks | `"/ping"` |
-  -proxy-websockets: enables WebSocket proxying (default true)
+| `-proxy-prefix` | string | the url root path that this proxy should be nested under (e.g. /`<oauth2>/sign_in`) | `"/oauth2"` |
-  -pubjwk-url string: JWK pubkey access endpoint: required by login.gov
+| `-proxy-websockets` | bool | enables WebSocket proxying | true |
-  -redeem-url string: Token redemption endpoint
+| `-pubjwk-url` | string | JWK pubkey access endpoint: required by login.gov | |
-  -redirect-url string: the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
+| `-redeem-url` | string | Token redemption endpoint | |
-  -redis-connection-url string: URL of redis server for redis session storage (eg: redis://HOST[:PORT])
+| `-redirect-url` | string | the OAuth Redirect URL. ie: `"https://internalapp.yourcompany.com/oauth2/callback"` | |
-  -redis-sentinel-master-name string: Redis sentinel master name. Used in conjuction with --redis-use-sentinel
+| `-redis-connection-url` | string | URL of redis server for redis session storage (eg: `redis://HOST[:PORT]`) | |
-  -redis-sentinel-connection-urls: List of Redis sentinel conneciton URLs (eg redis://HOST[:PORT]). Used in conjuction with --redis-use-sentinel
+| `-redis-sentinel-master-name` | string | Redis sentinel master name. Used in conjunction with `--redis-use-sentinel` | |
-  -redis-use-sentinel: Connect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this feature (default: false)
+| `-redis-sentinel-connection-urls` | string \| list | List of Redis sentinel connection URLs (eg `redis://HOST[:PORT]`). Used in conjunction with `--redis-use-sentinel` | |
-  -request-logging: Log requests to stdout (default true)
+| `-redis-use-sentinel` | bool | Connect to redis via sentinels. Must set `--redis-sentinel-master-name` and `--redis-sentinel-connection-urls` to use this feature | false |
-  -request-logging-format: Template for request log lines (see "Logging Configuration" paragraph below)
+| `-request-logging` | bool | Log requests | true |
-  -resource string: The resource that is protected (Azure AD only)
+| `-request-logging-format` | string | Template for request log lines | see [Logging Configuration](#logging-configuration) |
-  -scope string: OAuth scope specification
+| `-resource` | string | The resource that is protected (Azure AD only) | |
-  -session-store-type: Session data storage backend (default: cookie)
+| `-scope` | string | OAuth scope specification | |
-  -set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)
+| `-session-store-type` | string | Session data storage backend | cookie |
-  -set-authorization-header: set Authorization Bearer response header (useful in Nginx auth_request mode)
+| `-set-xauthrequest` | bool | set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) | false |
-  -signature-key string: GAP-Signature request signature key (algorithm:secretkey)
+| `-set-authorization-header` | bool | set Authorization Bearer response header (useful in Nginx auth_request mode) | false |
-  -silence-ping-logging bool: disable logging of requests to ping endpoint (default false) 
+| `-signature-key` | string | GAP-Signature request signature key (algorithm:secretkey) | |
-  -skip-auth-preflight: will skip authentication for OPTIONS requests
+| `-silence-ping-logging` | bool | disable logging of requests to ping endpoint | false |
-  -skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times)
+| `-skip-auth-preflight` | bool | will skip authentication for OPTIONS requests | false |
-  -skip-jwt-bearer-tokens: will skip requests that have verified JWT bearer tokens
+| `-skip-auth-regex` | string | bypass authentication for requests paths that match (may be given multiple times) | |
-  -skip-oidc-discovery: bypass OIDC endpoint discovery. login-url, redeem-url and oidc-jwks-url must be configured in this case
+| `-skip-jwt-bearer-tokens` | bool | will skip requests that have verified JWT bearer tokens | false |
-  -skip-provider-button: will skip sign-in-page to directly reach the next step: oauth/start
+| `-skip-oidc-discovery` | bool | bypass OIDC endpoint discovery. `-login-url`, `-redeem-url` and `-oidc-jwks-url` must be configured in this case | false |
-  -ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS
+| `-skip-provider-button` | bool | will skip sign-in-page to directly reach the next step: oauth/start | false |
-  -standard-logging: Log standard runtime information (default true)
+| `-ssl-insecure-skip-verify` | bool | skip validation of certificates presented when using HTTPS providers | false |
-  -standard-logging-format string: Template for standard log lines (see "Logging Configuration" paragraph below)
+| `-ssl-upstream-insecure-skip-verify` | bool | skip validation of certificates presented when using HTTPS upstreams | false |
-  -tls-cert-file string: path to certificate file
+| `-standard-logging` | bool | Log standard runtime information | true |
-  -tls-key-file string: path to private key file
+| `-standard-logging-format` | string | Template for standard log lines | see [Logging Configuration](#logging-configuration) |
-  -upstream value: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path
+| `-tls-cert-file` | string | path to certificate file | |
-  -validate-url string: Access token validation endpoint
+| `-tls-key-file` | string | path to private key file | |
-  -version: print version string
+| `-upstream` | string \| list | the http url(s) of the upstream endpoint or `file://` paths for static files. Routing is based on the path | |
-  -whitelist-domain: allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)
+| `-validate-url` | string | Access token validation endpoint | |
-```
+| `-version` | n/a | print version string | |
 | `-whitelist-domain` | string \| list | allowed domains for redirection after authentication. Prefix domain with a `.` to allow subdomains (eg `.example.com`) | |
 Note, when using the `whitelist-domain` option, any domain prefixed with a `.` will allow any subdomain of the specified domain as a valid redirect URL.
--- a/docs/configuration/sessions.md
+++ b/docs/configuration/sessions.md
@ -15,8 +15,8 @@ The OAuth2 Proxy uses a Cookie to track user sessions and will store the session
 data in one of the available session storage backends.
 At present the available backends are (as passed to `--session-store-type`):
- [cookie](cookie-storage) (default)
+- [cookie](#cookie-storage) (default)
- [redis](redis-storage)
+- [redis](#redis-storage)
 ### Cookie Storage
--- a/main.go
+++ b/main.go
@ -47,7 +47,8 @@ func main() {
 	flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")
 	flagSet.Bool("skip-provider-button", false, "will skip sign-in-page to directly reach the next step: oauth/start")
 	flagSet.Bool("skip-auth-preflight", false, "will skip authentication for OPTIONS requests")
-	flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")
+	flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS providers")
 	flagSet.Bool("ssl-upstream-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS upstreams")
 	flagSet.Duration("flush-interval", time.Duration(1)*time.Second, "period between response flushing when streaming responses")
 	flagSet.Bool("skip-jwt-bearer-tokens", false, "will skip requests that have verified JWT bearer tokens (default false)")
 	flagSet.Var(&jwtIssuers, "extra-jwt-issuers", "if skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)")
@ -56,8 +57,11 @@ func main() {
 	flagSet.Var(&whitelistDomains, "whitelist-domain", "allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)")
 	flagSet.String("keycloak-group", "", "restrict login to members of this group.")
 	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
 	flagSet.String("bitbucket-team", "", "restrict logins to members of this team")
 	flagSet.String("bitbucket-repository", "", "restrict logins to user with access to this repository")
 	flagSet.String("github-org", "", "restrict logins to members of this organisation")
 	flagSet.String("github-team", "", "restrict logins to members of this team")
 	flagSet.String("gitlab-group", "", "restrict logins to members of this group")
 	flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times).")
 	flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")
 	flagSet.String("google-service-account-json", "", "the path to the service account json credentials")
@ -85,8 +89,8 @@ func main() {
 	flagSet.String("session-store-type", "cookie", "the session storage provider to use")
 	flagSet.String("redis-connection-url", "", "URL of redis server for redis session storage (eg: redis://HOST[:PORT])")
 	flagSet.Bool("redis-use-sentinel", false, "Connect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this feature")
-	flagSet.String("redis-sentinel-master-name", "", "Redis sentinel master name. Used in conjuction with --redis-use-sentinel")
+	flagSet.String("redis-sentinel-master-name", "", "Redis sentinel master name. Used in conjunction with --redis-use-sentinel")
-	flagSet.Var(&redisSentinelConnectionURLs, "redis-sentinel-connection-urls", "List of Redis sentinel connection URLs (eg redis://HOST[:PORT]). Used in conjuction with --redis-use-sentinel")
+	flagSet.Var(&redisSentinelConnectionURLs, "redis-sentinel-connection-urls", "List of Redis sentinel connection URLs (eg redis://HOST[:PORT]). Used in conjunction with --redis-use-sentinel")
 	flagSet.String("logging-filename", "", "File to log requests to, empty for stdout")
 	flagSet.Int("logging-max-size", 100, "Maximum size in megabytes of the log file before rotation")
--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -2,6 +2,7 @@ package main
 import (
 	"context"
 	"crypto/tls"
 	b64 "encoding/base64"
 	"errors"
 	"fmt"
@ -128,9 +129,14 @@ func (u *UpstreamProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 // NewReverseProxy creates a new reverse proxy for proxying requests to upstream
 // servers
-func NewReverseProxy(target *url.URL, flushInterval time.Duration) (proxy *httputil.ReverseProxy) {
+func NewReverseProxy(target *url.URL, opts *Options) (proxy *httputil.ReverseProxy) {
 	proxy = httputil.NewSingleHostReverseProxy(target)
-	proxy.FlushInterval = flushInterval
+	proxy.FlushInterval = opts.FlushInterval
 	if opts.SSLUpstreamInsecureSkipVerify {
 		proxy.Transport = &http.Transport{
 			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
 		}
 	}
 	return proxy
 }
@ -163,7 +169,7 @@ func NewFileServer(path string, filesystemPath string) (proxy http.Handler) {
 // NewWebSocketOrRestReverseProxy creates a reverse proxy for REST or websocket based on url
 func NewWebSocketOrRestReverseProxy(u *url.URL, opts *Options, auth hmacauth.HmacAuth) http.Handler {
 	u.Path = ""
-	proxy := NewReverseProxy(u, opts.FlushInterval)
+	proxy := NewReverseProxy(u, opts)
 	if !opts.PassHostHeader {
 		setProxyUpstreamHostHeader(proxy, u)
 	} else {
@ -814,32 +820,60 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
 		req.Header["X-Forwarded-User"] = []string{session.User}
 		if session.Email != "" {
 			req.Header["X-Forwarded-Email"] = []string{session.Email}
 		} else {
 			req.Header.Del("X-Forwarded-Email")
 		}
 	}
 	if p.PassUserHeaders {
 		req.Header["X-Forwarded-User"] = []string{session.User}
 		if session.Email != "" {
 			req.Header["X-Forwarded-Email"] = []string{session.Email}
 		} else {
 			req.Header.Del("X-Forwarded-Email")
 		}
 	}
 	if p.SetXAuthRequest {
 		rw.Header().Set("X-Auth-Request-User", session.User)
 		if session.Email != "" {
 			rw.Header().Set("X-Auth-Request-Email", session.Email)
 		} else {
 			rw.Header().Del("X-Auth-Request-Email")
 		}
-		if p.PassAccessToken && session.AccessToken != "" {
+
-			rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken)
+		if p.PassAccessToken {
 			if session.AccessToken != "" {
 				rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken)
 			} else {
 				rw.Header().Del("X-Auth-Request-Access-Token")
 			}
 		}
 	}
-	if p.PassAccessToken && session.AccessToken != "" {
+
-		req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}
+	if p.PassAccessToken {
 		if session.AccessToken != "" {
 			req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}
 		} else {
 			req.Header.Del("X-Forwarded-Access-Token")
 		}
 	}
-	if p.PassAuthorization && session.IDToken != "" {
+
-		req.Header["Authorization"] = []string{fmt.Sprintf("Bearer %s", session.IDToken)}
+	if p.PassAuthorization {
 		if session.IDToken != "" {
 			req.Header["Authorization"] = []string{fmt.Sprintf("Bearer %s", session.IDToken)}
 		} else {
 			req.Header.Del("Authorization")
 		}
 	}
-	if p.SetAuthorization && session.IDToken != "" {
+	if p.SetAuthorization {
-		rw.Header().Set("Authorization", fmt.Sprintf("Bearer %s", session.IDToken))
+		if session.IDToken != "" {
 			rw.Header().Set("Authorization", fmt.Sprintf("Bearer %s", session.IDToken))
 		} else {
 			rw.Header().Del("Authorization")
 		}
 	}
 	if session.Email == "" {
 		rw.Header().Set("GAP-Auth", session.User)
 	} else {
@ -892,7 +926,7 @@ func isAjax(req *http.Request) bool {
 	return false
 }
-// ErrorJSON returns the error code witht an application/json mime type
+// ErrorJSON returns the error code with an application/json mime type
 func (p *OAuthProxy) ErrorJSON(rw http.ResponseWriter, code int) {
 	rw.Header().Set("Content-Type", applicationJSON)
 	rw.WriteHeader(code)
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@ -122,7 +122,7 @@ func TestNewReverseProxy(t *testing.T) {
 	backendHost := net.JoinHostPort(backendHostname, backendPort)
 	proxyURL, _ := url.Parse(backendURL.Scheme + "://" + backendHost + "/")
-	proxyHandler := NewReverseProxy(proxyURL, time.Second)
+	proxyHandler := NewReverseProxy(proxyURL, &Options{FlushInterval: time.Second})
 	setProxyUpstreamHostHeader(proxyHandler, proxyURL)
 	frontend := httptest.NewServer(proxyHandler)
 	defer frontend.Close()
@ -144,7 +144,7 @@ func TestEncodedSlashes(t *testing.T) {
 	defer backend.Close()
 	b, _ := url.Parse(backend.URL)
-	proxyHandler := NewReverseProxy(b, time.Second)
+	proxyHandler := NewReverseProxy(b, &Options{FlushInterval: time.Second})
 	setProxyDirector(proxyHandler)
 	frontend := httptest.NewServer(proxyHandler)
 	defer frontend.Close()
--- a/options.go
+++ b/options.go
@ -43,10 +43,13 @@ type Options struct {
 	AuthenticatedEmailsFile  string   `flag:"authenticated-emails-file" cfg:"authenticated_emails_file" env:"OAUTH2_PROXY_AUTHENTICATED_EMAILS_FILE"`
 	KeycloakGroup            string   `flag:"keycloak-group" cfg:"keycloak_group" env:"OAUTH2_PROXY_KEYCLOAK_GROUP"`
 	AzureTenant              string   `flag:"azure-tenant" cfg:"azure_tenant" env:"OAUTH2_PROXY_AZURE_TENANT"`
 	BitbucketTeam            string   `flag:"bitbucket-team" cfg:"bitbucket_team" env:"OAUTH2_PROXY_BITBUCKET_TEAM"`
 	BitbucketRepository      string   `flag:"bitbucket-repository" cfg:"bitbucket_repository" env:"OAUTH2_PROXY_BITBUCKET_REPOSITORY"`
 	EmailDomains             []string `flag:"email-domain" cfg:"email_domains" env:"OAUTH2_PROXY_EMAIL_DOMAINS"`
 	WhitelistDomains         []string `flag:"whitelist-domain" cfg:"whitelist_domains" env:"OAUTH2_PROXY_WHITELIST_DOMAINS"`
 	GitHubOrg                string   `flag:"github-org" cfg:"github_org" env:"OAUTH2_PROXY_GITHUB_ORG"`
 	GitHubTeam               string   `flag:"github-team" cfg:"github_team" env:"OAUTH2_PROXY_GITHUB_TEAM"`
 	GitLabGroup              string   `flag:"gitlab-group" cfg:"gitlab_group" env:"OAUTH2_PROXY_GITLAB_GROUP"`
 	GoogleGroups             []string `flag:"google-group" cfg:"google_group" env:"OAUTH2_PROXY_GOOGLE_GROUPS"`
 	GoogleAdminEmail         string   `flag:"google-admin-email" cfg:"google_admin_email" env:"OAUTH2_PROXY_GOOGLE_ADMIN_EMAIL"`
 	GoogleServiceAccountJSON string   `flag:"google-service-account-json" cfg:"google_service_account_json" env:"OAUTH2_PROXY_GOOGLE_SERVICE_ACCOUNT_JSON"`
@ -62,22 +65,23 @@ type Options struct {
 	// Embed SessionOptions
 	options.SessionOptions
-	Upstreams             []string      `flag:"upstream" cfg:"upstreams" env:"OAUTH2_PROXY_UPSTREAMS"`
+	Upstreams                     []string      `flag:"upstream" cfg:"upstreams" env:"OAUTH2_PROXY_UPSTREAMS"`
-	SkipAuthRegex         []string      `flag:"skip-auth-regex" cfg:"skip_auth_regex" env:"OAUTH2_PROXY_SKIP_AUTH_REGEX"`
+	SkipAuthRegex                 []string      `flag:"skip-auth-regex" cfg:"skip_auth_regex" env:"OAUTH2_PROXY_SKIP_AUTH_REGEX"`
-	SkipJwtBearerTokens   bool          `flag:"skip-jwt-bearer-tokens" cfg:"skip_jwt_bearer_tokens" env:"OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS"`
+	SkipJwtBearerTokens           bool          `flag:"skip-jwt-bearer-tokens" cfg:"skip_jwt_bearer_tokens" env:"OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS"`
-	ExtraJwtIssuers       []string      `flag:"extra-jwt-issuers" cfg:"extra_jwt_issuers" env:"OAUTH2_PROXY_EXTRA_JWT_ISSUERS"`
+	ExtraJwtIssuers               []string      `flag:"extra-jwt-issuers" cfg:"extra_jwt_issuers" env:"OAUTH2_PROXY_EXTRA_JWT_ISSUERS"`
-	PassBasicAuth         bool          `flag:"pass-basic-auth" cfg:"pass_basic_auth" env:"OAUTH2_PROXY_PASS_BASIC_AUTH"`
+	PassBasicAuth                 bool          `flag:"pass-basic-auth" cfg:"pass_basic_auth" env:"OAUTH2_PROXY_PASS_BASIC_AUTH"`
-	BasicAuthPassword     string        `flag:"basic-auth-password" cfg:"basic_auth_password" env:"OAUTH2_PROXY_BASIC_AUTH_PASSWORD"`
+	BasicAuthPassword             string        `flag:"basic-auth-password" cfg:"basic_auth_password" env:"OAUTH2_PROXY_BASIC_AUTH_PASSWORD"`
-	PassAccessToken       bool          `flag:"pass-access-token" cfg:"pass_access_token" env:"OAUTH2_PROXY_PASS_ACCESS_TOKEN"`
+	PassAccessToken               bool          `flag:"pass-access-token" cfg:"pass_access_token" env:"OAUTH2_PROXY_PASS_ACCESS_TOKEN"`
-	PassHostHeader        bool          `flag:"pass-host-header" cfg:"pass_host_header" env:"OAUTH2_PROXY_PASS_HOST_HEADER"`
+	PassHostHeader                bool          `flag:"pass-host-header" cfg:"pass_host_header" env:"OAUTH2_PROXY_PASS_HOST_HEADER"`
-	SkipProviderButton    bool          `flag:"skip-provider-button" cfg:"skip_provider_button" env:"OAUTH2_PROXY_SKIP_PROVIDER_BUTTON"`
+	SkipProviderButton            bool          `flag:"skip-provider-button" cfg:"skip_provider_button" env:"OAUTH2_PROXY_SKIP_PROVIDER_BUTTON"`
-	PassUserHeaders       bool          `flag:"pass-user-headers" cfg:"pass_user_headers" env:"OAUTH2_PROXY_PASS_USER_HEADERS"`
+	PassUserHeaders               bool          `flag:"pass-user-headers" cfg:"pass_user_headers" env:"OAUTH2_PROXY_PASS_USER_HEADERS"`
-	SSLInsecureSkipVerify bool          `flag:"ssl-insecure-skip-verify" cfg:"ssl_insecure_skip_verify" env:"OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY"`
+	SSLInsecureSkipVerify         bool          `flag:"ssl-insecure-skip-verify" cfg:"ssl_insecure_skip_verify" env:"OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY"`
-	SetXAuthRequest       bool          `flag:"set-xauthrequest" cfg:"set_xauthrequest" env:"OAUTH2_PROXY_SET_XAUTHREQUEST"`
+	SSLUpstreamInsecureSkipVerify bool          `flag:"ssl-upstream-insecure-skip-verify" cfg:"ssl_upstream_insecure_skip_verify" env:"OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY"`
-	SetAuthorization      bool          `flag:"set-authorization-header" cfg:"set_authorization_header" env:"OAUTH2_PROXY_SET_AUTHORIZATION_HEADER"`
+	SetXAuthRequest               bool          `flag:"set-xauthrequest" cfg:"set_xauthrequest" env:"OAUTH2_PROXY_SET_XAUTHREQUEST"`
-	PassAuthorization     bool          `flag:"pass-authorization-header" cfg:"pass_authorization_header" env:"OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER"`
+	SetAuthorization              bool          `flag:"set-authorization-header" cfg:"set_authorization_header" env:"OAUTH2_PROXY_SET_AUTHORIZATION_HEADER"`
-	SkipAuthPreflight     bool          `flag:"skip-auth-preflight" cfg:"skip_auth_preflight" env:"OAUTH2_PROXY_SKIP_AUTH_PREFLIGHT"`
+	PassAuthorization             bool          `flag:"pass-authorization-header" cfg:"pass_authorization_header" env:"OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER"`
-	FlushInterval         time.Duration `flag:"flush-interval" cfg:"flush_interval" env:"OAUTH2_PROXY_FLUSH_INTERVAL"`
+	SkipAuthPreflight             bool          `flag:"skip-auth-preflight" cfg:"skip_auth_preflight" env:"OAUTH2_PROXY_SKIP_AUTH_PREFLIGHT"`
 	FlushInterval                 time.Duration `flag:"flush-interval" cfg:"flush_interval" env:"OAUTH2_PROXY_FLUSH_INTERVAL"`
 	// These options allow for other providers besides Google, with
 	// potential overrides.
@ -406,6 +410,9 @@ func parseProviderInfo(o *Options, msgs []string) []string {
 				p.SetGroupRestriction(o.GoogleGroups, o.GoogleAdminEmail, file)
 			}
 		}
 	case *providers.BitbucketProvider:
 		p.SetTeam(o.BitbucketTeam)
 		p.SetRepository(o.BitbucketRepository)
 	case *providers.OIDCProvider:
 		p.AllowUnverifiedEmail = o.InsecureOIDCAllowUnverifiedEmail
 		if o.oidcVerifier == nil {
@ -413,6 +420,29 @@ func parseProviderInfo(o *Options, msgs []string) []string {
 		} else {
 			p.Verifier = o.oidcVerifier
 		}
 	case *providers.GitLabProvider:
 		p.AllowUnverifiedEmail = o.InsecureOIDCAllowUnverifiedEmail
 		p.Group = o.GitLabGroup
 		p.EmailDomains = o.EmailDomains
 		if o.oidcVerifier != nil {
 			p.Verifier = o.oidcVerifier
 		} else {
 			// Initialize with default verifier for gitlab.com
 			ctx := context.Background()
 			provider, err := oidc.NewProvider(ctx, "https://gitlab.com")
 			if err != nil {
 				msgs = append(msgs, "failed to initialize oidc provider for gitlab.com")
 			} else {
 				p.Verifier = provider.Verifier(&oidc.Config{
 					ClientID: o.ClientID,
 				})
 				p.LoginURL, msgs = parseURL(provider.Endpoint().AuthURL, "login", msgs)
 				p.RedeemURL, msgs = parseURL(provider.Endpoint().TokenURL, "redeem", msgs)
 			}
 		}
 	case *providers.LoginGovProvider:
 		p.AcrValues = o.AcrValues
 		p.PubJWKURL, msgs = parseURL(o.PubJWKURL, "pubjwk", msgs)
--- a/providers/bitbucket.go
+++ b/providers/bitbucket.go
@ -0,0 +1,163 @@
 package providers
 import (
 	"net/http"
 	"net/url"
 	"strings"
 	"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
 	"github.com/pusher/oauth2_proxy/pkg/logger"
 	"github.com/pusher/oauth2_proxy/pkg/requests"
 )
 // BitbucketProvider represents an Bitbucket based Identity Provider
 type BitbucketProvider struct {
 	*ProviderData
 	Team       string
 	Repository string
 }
 // NewBitbucketProvider initiates a new BitbucketProvider
 func NewBitbucketProvider(p *ProviderData) *BitbucketProvider {
 	p.ProviderName = "Bitbucket"
 	if p.LoginURL == nil || p.LoginURL.String() == "" {
 		p.LoginURL = &url.URL{
 			Scheme: "https",
 			Host:   "bitbucket.org",
 			Path:   "/site/oauth2/authorize",
 		}
 	}
 	if p.RedeemURL == nil || p.RedeemURL.String() == "" {
 		p.RedeemURL = &url.URL{
 			Scheme: "https",
 			Host:   "bitbucket.org",
 			Path:   "/site/oauth2/access_token",
 		}
 	}
 	if p.ValidateURL == nil || p.ValidateURL.String() == "" {
 		p.ValidateURL = &url.URL{
 			Scheme: "https",
 			Host:   "api.bitbucket.org",
 			Path:   "/2.0/user/emails",
 		}
 	}
 	if p.Scope == "" {
 		p.Scope = "email"
 	}
 	return &BitbucketProvider{ProviderData: p}
 }
 // SetTeam defines the Bitbucket team the user must be part of
 func (p *BitbucketProvider) SetTeam(team string) {
 	p.Team = team
 	if !strings.Contains(p.Scope, "team") {
 		p.Scope += " team"
 	}
 }
 // SetRepository defines the repository the user must have access to
 func (p *BitbucketProvider) SetRepository(repository string) {
 	p.Repository = repository
 	if !strings.Contains(p.Scope, "repository") {
 		p.Scope += " repository"
 	}
 }
 // GetEmailAddress returns the email of the authenticated user
 func (p *BitbucketProvider) GetEmailAddress(s *sessions.SessionState) (string, error) {
 	var emails struct {
 		Values []struct {
 			Email   string `json:"email"`
 			Primary bool   `json:"is_primary"`
 		}
 	}
 	var teams struct {
 		Values []struct {
 			Name string `json:"username"`
 		}
 	}
 	var repositories struct {
 		Values []struct {
 			FullName string `json:"full_name"`
 		}
 	}
 	req, err := http.NewRequest("GET",
 		p.ValidateURL.String()+"?access_token="+s.AccessToken, nil)
 	if err != nil {
 		logger.Printf("failed building request %s", err)
 		return "", err
 	}
 	err = requests.RequestJSON(req, &emails)
 	if err != nil {
 		logger.Printf("failed making request %s", err)
 		return "", err
 	}
 	if p.Team != "" {
 		teamURL := &url.URL{}
 		*teamURL = *p.ValidateURL
 		teamURL.Path = "/2.0/teams"
 		req, err = http.NewRequest("GET",
 			teamURL.String()+"?role=member&access_token="+s.AccessToken, nil)
 		if err != nil {
 			logger.Printf("failed building request %s", err)
 			return "", err
 		}
 		err = requests.RequestJSON(req, &teams)
 		if err != nil {
 			logger.Printf("failed requesting teams membership %s", err)
 			return "", err
 		}
 		var found = false
 		for _, team := range teams.Values {
 			if p.Team == team.Name {
 				found = true
 				break
 			}
 		}
 		if found != true {
 			logger.Print("team membership test failed, access denied")
 			return "", nil
 		}
 	}
 	if p.Repository != "" {
 		repositoriesURL := &url.URL{}
 		*repositoriesURL = *p.ValidateURL
 		repositoriesURL.Path = "/2.0/repositories/" + strings.Split(p.Repository, "/")[0]
 		req, err = http.NewRequest("GET",
 			repositoriesURL.String()+"?role=contributor"+
 				"&q=full_name="+url.QueryEscape("\""+p.Repository+"\"")+
 				"&access_token="+s.AccessToken,
 			nil)
 		if err != nil {
 			logger.Printf("failed building request %s", err)
 			return "", err
 		}
 		err = requests.RequestJSON(req, &repositories)
 		if err != nil {
 			logger.Printf("failed checking repository access %s", err)
 			return "", err
 		}
 		var found = false
 		for _, repository := range repositories.Values {
 			if p.Repository == repository.FullName {
 				found = true
 				break
 			}
 		}
 		if found != true {
 			logger.Print("repository access test failed, access denied")
 			return "", nil
 		}
 	}
 	for _, email := range emails.Values {
 		if email.Primary {
 			return email.Email, nil
 		}
 	}
 	return "", nil
 }
--- a/providers/bitbucket_test.go
+++ b/providers/bitbucket_test.go
@ -0,0 +1,170 @@
 package providers
 import (
 	"log"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
 )
 func testBitbucketProvider(hostname, team string, repository string) *BitbucketProvider {
 	p := NewBitbucketProvider(
 		&ProviderData{
 			ProviderName: "",
 			LoginURL:     &url.URL{},
 			RedeemURL:    &url.URL{},
 			ProfileURL:   &url.URL{},
 			ValidateURL:  &url.URL{},
 			Scope:        ""})
 	if team != "" {
 		p.SetTeam(team)
 	}
 	if repository != "" {
 		p.SetRepository(repository)
 	}
 	if hostname != "" {
 		updateURL(p.Data().LoginURL, hostname)
 		updateURL(p.Data().RedeemURL, hostname)
 		updateURL(p.Data().ProfileURL, hostname)
 		updateURL(p.Data().ValidateURL, hostname)
 	}
 	return p
 }
 func testBitbucketBackend(payload string) *httptest.Server {
 	paths := map[string]bool{
 		"/2.0/user/emails": true,
 		"/2.0/teams":       true,
 	}
 	return httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
 			url := r.URL
 			if !paths[url.Path] {
 				log.Printf("%s not in %+v\n", url.Path, paths)
 				w.WriteHeader(404)
 			} else if r.URL.Query().Get("access_token") != "imaginary_access_token" {
 				w.WriteHeader(403)
 			} else {
 				w.WriteHeader(200)
 				w.Write([]byte(payload))
 			}
 		}))
 }
 func TestBitbucketProviderDefaults(t *testing.T) {
 	p := testBitbucketProvider("", "", "")
 	assert.NotEqual(t, nil, p)
 	assert.Equal(t, "Bitbucket", p.Data().ProviderName)
 	assert.Equal(t, "https://bitbucket.org/site/oauth2/authorize",
 		p.Data().LoginURL.String())
 	assert.Equal(t, "https://bitbucket.org/site/oauth2/access_token",
 		p.Data().RedeemURL.String())
 	assert.Equal(t, "https://api.bitbucket.org/2.0/user/emails",
 		p.Data().ValidateURL.String())
 	assert.Equal(t, "email", p.Data().Scope)
 }
 func TestBitbucketProviderScopeAdjustForTeam(t *testing.T) {
 	p := testBitbucketProvider("", "test-team", "")
 	assert.NotEqual(t, nil, p)
 	assert.Equal(t, "email team", p.Data().Scope)
 }
 func TestBitbucketProviderScopeAdjustForRepository(t *testing.T) {
 	p := testBitbucketProvider("", "", "rest-repo")
 	assert.NotEqual(t, nil, p)
 	assert.Equal(t, "email repository", p.Data().Scope)
 }
 func TestBitbucketProviderOverrides(t *testing.T) {
 	p := NewBitbucketProvider(
 		&ProviderData{
 			LoginURL: &url.URL{
 				Scheme: "https",
 				Host:   "example.com",
 				Path:   "/oauth/auth"},
 			RedeemURL: &url.URL{
 				Scheme: "https",
 				Host:   "example.com",
 				Path:   "/oauth/token"},
 			ValidateURL: &url.URL{
 				Scheme: "https",
 				Host:   "example.com",
 				Path:   "/api/v3/user"},
 			Scope: "profile"})
 	assert.NotEqual(t, nil, p)
 	assert.Equal(t, "Bitbucket", p.Data().ProviderName)
 	assert.Equal(t, "https://example.com/oauth/auth",
 		p.Data().LoginURL.String())
 	assert.Equal(t, "https://example.com/oauth/token",
 		p.Data().RedeemURL.String())
 	assert.Equal(t, "https://example.com/api/v3/user",
 		p.Data().ValidateURL.String())
 	assert.Equal(t, "profile", p.Data().Scope)
 }
 func TestBitbucketProviderGetEmailAddress(t *testing.T) {
 	b := testBitbucketBackend("{\"values\": [ { \"email\": \"michael.bland@gsa.gov\", \"is_primary\": true } ] }")
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testBitbucketProvider(bURL.Host, "", "")
 	session := &sessions.SessionState{AccessToken: "imaginary_access_token"}
 	email, err := p.GetEmailAddress(session)
 	assert.Equal(t, nil, err)
 	assert.Equal(t, "michael.bland@gsa.gov", email)
 }
 func TestBitbucketProviderGetEmailAddressAndGroup(t *testing.T) {
 	b := testBitbucketBackend("{\"values\": [ { \"email\": \"michael.bland@gsa.gov\", \"is_primary\": true, \"username\": \"bioinformatics\" } ] }")
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testBitbucketProvider(bURL.Host, "bioinformatics", "")
 	session := &sessions.SessionState{AccessToken: "imaginary_access_token"}
 	email, err := p.GetEmailAddress(session)
 	assert.Equal(t, nil, err)
 	assert.Equal(t, "michael.bland@gsa.gov", email)
 }
 // Note that trying to trigger the "failed building request" case is not
 // practical, since the only way it can fail is if the URL fails to parse.
 func TestBitbucketProviderGetEmailAddressFailedRequest(t *testing.T) {
 	b := testBitbucketBackend("unused payload")
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testBitbucketProvider(bURL.Host, "", "")
 	// We'll trigger a request failure by using an unexpected access
 	// token. Alternatively, we could allow the parsing of the payload as
 	// JSON to fail.
 	session := &sessions.SessionState{AccessToken: "unexpected_access_token"}
 	email, err := p.GetEmailAddress(session)
 	assert.NotEqual(t, nil, err)
 	assert.Equal(t, "", email)
 }
 func TestBitbucketProviderGetEmailAddressEmailNotPresentInPayload(t *testing.T) {
 	b := testBitbucketBackend("{\"foo\": \"bar\"}")
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testBitbucketProvider(bURL.Host, "", "")
 	session := &sessions.SessionState{AccessToken: "imaginary_access_token"}
 	email, err := p.GetEmailAddress(session)
 	assert.Equal(t, "", email)
 	assert.Equal(t, nil, err)
 }
--- a/providers/gitlab.go
+++ b/providers/gitlab.go
@ -1,62 +1,258 @@
 package providers
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"net/http"
-	"net/url"
+	"strings"
 	"time"
 	oidc "github.com/coreos/go-oidc"
 	"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
-	"github.com/pusher/oauth2_proxy/pkg/logger"
+	"golang.org/x/oauth2"
 	"github.com/pusher/oauth2_proxy/pkg/requests"
 )
-// GitLabProvider represents an GitLab based Identity Provider
+// GitLabProvider represents a GitLab based Identity Provider
 type GitLabProvider struct {
 	*ProviderData
 	Group        string
 	EmailDomains []string
 	Verifier             *oidc.IDTokenVerifier
 	AllowUnverifiedEmail bool
 }
 // NewGitLabProvider initiates a new GitLabProvider
 func NewGitLabProvider(p *ProviderData) *GitLabProvider {
 	p.ProviderName = "GitLab"
-	if p.LoginURL == nil || p.LoginURL.String() == "" {
+
 		p.LoginURL = &url.URL{
 			Scheme: "https",
 			Host:   "gitlab.com",
 			Path:   "/oauth/authorize",
 		}
 	}
 	if p.RedeemURL == nil || p.RedeemURL.String() == "" {
 		p.RedeemURL = &url.URL{
 			Scheme: "https",
 			Host:   "gitlab.com",
 			Path:   "/oauth/token",
 		}
 	}
 	if p.ValidateURL == nil || p.ValidateURL.String() == "" {
 		p.ValidateURL = &url.URL{
 			Scheme: "https",
 			Host:   "gitlab.com",
 			Path:   "/api/v4/user",
 		}
 	}
 	if p.Scope == "" {
-		p.Scope = "read_user"
+		p.Scope = "openid email"
 	}
 	return &GitLabProvider{ProviderData: p}
 }
 // Redeem exchanges the OAuth2 authentication token for an ID token
 func (p *GitLabProvider) Redeem(redirectURL, code string) (s *sessions.SessionState, err error) {
 	ctx := context.Background()
 	c := oauth2.Config{
 		ClientID:     p.ClientID,
 		ClientSecret: p.ClientSecret,
 		Endpoint: oauth2.Endpoint{
 			TokenURL: p.RedeemURL.String(),
 		},
 		RedirectURL: redirectURL,
 	}
 	token, err := c.Exchange(ctx, code)
 	if err != nil {
 		return nil, fmt.Errorf("token exchange: %v", err)
 	}
 	s, err = p.createSessionState(ctx, token)
 	if err != nil {
 		return nil, fmt.Errorf("unable to update session: %v", err)
 	}
 	return
 }
 // RefreshSessionIfNeeded checks if the session has expired and uses the
 // RefreshToken to fetch a new ID token if required
 func (p *GitLabProvider) RefreshSessionIfNeeded(s *sessions.SessionState) (bool, error) {
 	if s == nil || s.ExpiresOn.After(time.Now()) || s.RefreshToken == "" {
 		return false, nil
 	}
 	origExpiration := s.ExpiresOn
 	err := p.redeemRefreshToken(s)
 	if err != nil {
 		return false, fmt.Errorf("unable to redeem refresh token: %v", err)
 	}
 	fmt.Printf("refreshed id token %s (expired on %s)\n", s, origExpiration)
 	return true, nil
 }
 func (p *GitLabProvider) redeemRefreshToken(s *sessions.SessionState) (err error) {
 	c := oauth2.Config{
 		ClientID:     p.ClientID,
 		ClientSecret: p.ClientSecret,
 		Endpoint: oauth2.Endpoint{
 			TokenURL: p.RedeemURL.String(),
 		},
 	}
 	ctx := context.Background()
 	t := &oauth2.Token{
 		RefreshToken: s.RefreshToken,
 		Expiry:       time.Now().Add(-time.Hour),
 	}
 	token, err := c.TokenSource(ctx, t).Token()
 	if err != nil {
 		return fmt.Errorf("failed to get token: %v", err)
 	}
 	newSession, err := p.createSessionState(ctx, token)
 	if err != nil {
 		return fmt.Errorf("unable to update session: %v", err)
 	}
 	s.AccessToken = newSession.AccessToken
 	s.IDToken = newSession.IDToken
 	s.RefreshToken = newSession.RefreshToken
 	s.CreatedAt = newSession.CreatedAt
 	s.ExpiresOn = newSession.ExpiresOn
 	s.Email = newSession.Email
 	return
 }
 type gitlabUserInfo struct {
 	Username      string   `json:"nickname"`
 	Email         string   `json:"email"`
 	EmailVerified bool     `json:"email_verified"`
 	Groups        []string `json:"groups"`
 }
 func (p *GitLabProvider) getUserInfo(s *sessions.SessionState) (*gitlabUserInfo, error) {
 	// Retrieve user info JSON
 	// https://docs.gitlab.com/ee/integration/openid_connect_provider.html#shared-information
 	// Build user info url from login url of GitLab instance
 	userInfoURL := *p.LoginURL
 	userInfoURL.Path = "/oauth/userinfo"
 	req, err := http.NewRequest("GET", userInfoURL.String(), nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create user info request: %v", err)
 	}
 	req.Header.Set("Authorization", "Bearer "+s.AccessToken)
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("failed to perform user info request: %v", err)
 	}
 	var body []byte
 	body, err = ioutil.ReadAll(resp.Body)
 	resp.Body.Close()
 	if err != nil {
 		return nil, fmt.Errorf("failed to read user info response: %v", err)
 	}
 	if resp.StatusCode != 200 {
 		return nil, fmt.Errorf("got %d during user info request: %s", resp.StatusCode, body)
 	}
 	var userInfo gitlabUserInfo
 	err = json.Unmarshal(body, &userInfo)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse user info: %v", err)
 	}
 	return &userInfo, nil
 }
 func (p *GitLabProvider) verifyGroupMembership(userInfo *gitlabUserInfo) error {
 	if p.Group == "" {
 		return nil
 	}
 	// Collect user group memberships
 	membershipSet := make(map[string]bool)
 	for _, group := range userInfo.Groups {
 		membershipSet[group] = true
 	}
 	// Find a valid group that they are a member of
 	validGroups := strings.Split(p.Group, " ")
 	for _, validGroup := range validGroups {
 		if _, ok := membershipSet[validGroup]; ok {
 			return nil
 		}
 	}
 	return fmt.Errorf("user is not a member of '%s'", p.Group)
 }
 func (p *GitLabProvider) verifyEmailDomain(userInfo *gitlabUserInfo) error {
 	if len(p.EmailDomains) == 0 || p.EmailDomains[0] == "*" {
 		return nil
 	}
 	for _, domain := range p.EmailDomains {
 		if strings.HasSuffix(userInfo.Email, domain) {
 			return nil
 		}
 	}
 	return fmt.Errorf("user email is not one of the valid domains '%v'", p.EmailDomains)
 }
 func (p *GitLabProvider) createSessionState(ctx context.Context, token *oauth2.Token) (*sessions.SessionState, error) {
 	rawIDToken, ok := token.Extra("id_token").(string)
 	if !ok {
 		return nil, fmt.Errorf("token response did not contain an id_token")
 	}
 	// Parse and verify ID Token payload.
 	idToken, err := p.Verifier.Verify(ctx, rawIDToken)
 	if err != nil {
 		return nil, fmt.Errorf("could not verify id_token: %v", err)
 	}
 	return &sessions.SessionState{
 		AccessToken:  token.AccessToken,
 		IDToken:      rawIDToken,
 		RefreshToken: token.RefreshToken,
 		CreatedAt:    time.Now(),
 		ExpiresOn:    idToken.Expiry,
 	}, nil
 }
 // ValidateSessionState checks that the session's IDToken is still valid
 func (p *GitLabProvider) ValidateSessionState(s *sessions.SessionState) bool {
 	ctx := context.Background()
 	_, err := p.Verifier.Verify(ctx, s.IDToken)
 	if err != nil {
 		return false
 	}
 	return true
 }
 // GetEmailAddress returns the Account email address
 func (p *GitLabProvider) GetEmailAddress(s *sessions.SessionState) (string, error) {
 	// Retrieve user info
 	userInfo, err := p.getUserInfo(s)
 	if err != nil {
 		return "", fmt.Errorf("failed to retrieve user info: %v", err)
 	}
-	req, err := http.NewRequest("GET",
+	// Check if email is verified
-		p.ValidateURL.String()+"?access_token="+s.AccessToken, nil)
+	if !p.AllowUnverifiedEmail && !userInfo.EmailVerified {
-	if err != nil {
+		return "", fmt.Errorf("user email is not verified")
 		logger.Printf("failed building request %s", err)
 		return "", err
 	}
-	json, err := requests.Request(req)
+
 	// Check if email has valid domain
 	err = p.verifyEmailDomain(userInfo)
 	if err != nil {
-		logger.Printf("failed making request %s", err)
+		return "", fmt.Errorf("email domain check failed: %v", err)
 		return "", err
 	}
-	return json.Get("email").String()
+
 	// Check group membership
 	err = p.verifyGroupMembership(userInfo)
 	if err != nil {
 		return "", fmt.Errorf("group membership check failed: %v", err)
 	}
 	return userInfo.Email, nil
 }
 // GetUserName returns the Account user name
 func (p *GitLabProvider) GetUserName(s *sessions.SessionState) (string, error) {
 	userInfo, err := p.getUserInfo(s)
 	if err != nil {
 		return "", fmt.Errorf("failed to retrieve user info: %v", err)
 	}
 	return userInfo.Username, nil
 }
--- a/providers/gitlab_test.go
+++ b/providers/gitlab_test.go
@ -25,104 +25,142 @@ func testGitLabProvider(hostname string) *GitLabProvider {
 		updateURL(p.Data().ProfileURL, hostname)
 		updateURL(p.Data().ValidateURL, hostname)
 	}
 	return p
 }
-func testGitLabBackend(payload string) *httptest.Server {
+func testGitLabBackend() *httptest.Server {
-	path := "/api/v4/user"
+	userInfo := `
-	query := "access_token=imaginary_access_token"
+		{
 			"nickname": "FooBar",
 			"email": "foo@bar.com",
 			"email_verified": false,
 			"groups": ["foo", "bar"]
 		}
 	`
 	authHeader := "Bearer gitlab_access_token"
 	return httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
-			if r.URL.Path != path || r.URL.RawQuery != query {
+			if r.URL.Path == "/oauth/userinfo" {
-				w.WriteHeader(404)
+				if r.Header["Authorization"][0] == authHeader {
 					w.WriteHeader(200)
 					w.Write([]byte(userInfo))
 				} else {
 					w.WriteHeader(401)
 				}
 			} else {
-				w.WriteHeader(200)
+				w.WriteHeader(404)
 				w.Write([]byte(payload))
 			}
 		}))
 }
-func TestGitLabProviderDefaults(t *testing.T) {
+func TestGitLabProviderBadToken(t *testing.T) {
-	p := testGitLabProvider("")
+	b := testGitLabBackend()
 	assert.NotEqual(t, nil, p)
 	assert.Equal(t, "GitLab", p.Data().ProviderName)
 	assert.Equal(t, "https://gitlab.com/oauth/authorize",
 		p.Data().LoginURL.String())
 	assert.Equal(t, "https://gitlab.com/oauth/token",
 		p.Data().RedeemURL.String())
 	assert.Equal(t, "https://gitlab.com/api/v4/user",
 		p.Data().ValidateURL.String())
 	assert.Equal(t, "read_user", p.Data().Scope)
 }
 func TestGitLabProviderOverrides(t *testing.T) {
 	p := NewGitLabProvider(
 		&ProviderData{
 			LoginURL: &url.URL{
 				Scheme: "https",
 				Host:   "example.com",
 				Path:   "/oauth/auth"},
 			RedeemURL: &url.URL{
 				Scheme: "https",
 				Host:   "example.com",
 				Path:   "/oauth/token"},
 			ValidateURL: &url.URL{
 				Scheme: "https",
 				Host:   "example.com",
 				Path:   "/api/v4/user"},
 			Scope: "profile"})
 	assert.NotEqual(t, nil, p)
 	assert.Equal(t, "GitLab", p.Data().ProviderName)
 	assert.Equal(t, "https://example.com/oauth/auth",
 		p.Data().LoginURL.String())
 	assert.Equal(t, "https://example.com/oauth/token",
 		p.Data().RedeemURL.String())
 	assert.Equal(t, "https://example.com/api/v4/user",
 		p.Data().ValidateURL.String())
 	assert.Equal(t, "profile", p.Data().Scope)
 }
 func TestGitLabProviderGetEmailAddress(t *testing.T) {
 	b := testGitLabBackend("{\"email\": \"michael.bland@gsa.gov\"}")
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testGitLabProvider(bURL.Host)
-	session := &sessions.SessionState{AccessToken: "imaginary_access_token"}
+	session := &sessions.SessionState{AccessToken: "unexpected_gitlab_access_token"}
 	_, err := p.GetEmailAddress(session)
 	assert.NotEqual(t, nil, err)
 }
 func TestGitLabProviderUnverifiedEmailDenied(t *testing.T) {
 	b := testGitLabBackend()
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testGitLabProvider(bURL.Host)
 	session := &sessions.SessionState{AccessToken: "gitlab_access_token"}
 	_, err := p.GetEmailAddress(session)
 	assert.NotEqual(t, nil, err)
 }
 func TestGitLabProviderUnverifiedEmailAllowed(t *testing.T) {
 	b := testGitLabBackend()
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testGitLabProvider(bURL.Host)
 	p.AllowUnverifiedEmail = true
 	session := &sessions.SessionState{AccessToken: "gitlab_access_token"}
 	email, err := p.GetEmailAddress(session)
 	assert.Equal(t, nil, err)
-	assert.Equal(t, "michael.bland@gsa.gov", email)
+	assert.Equal(t, "foo@bar.com", email)
 }
-// Note that trying to trigger the "failed building request" case is not
+func TestGitLabProviderUsername(t *testing.T) {
-// practical, since the only way it can fail is if the URL fails to parse.
+	b := testGitLabBackend()
 func TestGitLabProviderGetEmailAddressFailedRequest(t *testing.T) {
 	b := testGitLabBackend("unused payload")
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testGitLabProvider(bURL.Host)
 	p.AllowUnverifiedEmail = true
-	// We'll trigger a request failure by using an unexpected access
+	session := &sessions.SessionState{AccessToken: "gitlab_access_token"}
-	// token. Alternatively, we could allow the parsing of the payload as
+	username, err := p.GetUserName(session)
-	// JSON to fail.
+	assert.Equal(t, nil, err)
-	session := &sessions.SessionState{AccessToken: "unexpected_access_token"}
+	assert.Equal(t, "FooBar", username)
 	email, err := p.GetEmailAddress(session)
 	assert.NotEqual(t, nil, err)
 	assert.Equal(t, "", email)
 }
-func TestGitLabProviderGetEmailAddressEmailNotPresentInPayload(t *testing.T) {
+func TestGitLabProviderGroupMembershipValid(t *testing.T) {
-	b := testGitLabBackend("{\"foo\": \"bar\"}")
+	b := testGitLabBackend()
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testGitLabProvider(bURL.Host)
 	p.AllowUnverifiedEmail = true
 	p.Group = "foo"
-	session := &sessions.SessionState{AccessToken: "imaginary_access_token"}
+	session := &sessions.SessionState{AccessToken: "gitlab_access_token"}
 	email, err := p.GetEmailAddress(session)
-	assert.NotEqual(t, nil, err)
+	assert.Equal(t, nil, err)
-	assert.Equal(t, "", email)
+	assert.Equal(t, "foo@bar.com", email)
 }
 func TestGitLabProviderGroupMembershipMissing(t *testing.T) {
 	b := testGitLabBackend()
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testGitLabProvider(bURL.Host)
 	p.AllowUnverifiedEmail = true
 	p.Group = "baz"
 	session := &sessions.SessionState{AccessToken: "gitlab_access_token"}
 	_, err := p.GetEmailAddress(session)
 	assert.NotEqual(t, nil, err)
 }
 func TestGitLabProviderEmailDomainValid(t *testing.T) {
 	b := testGitLabBackend()
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testGitLabProvider(bURL.Host)
 	p.AllowUnverifiedEmail = true
 	p.EmailDomains = []string{"bar.com"}
 	session := &sessions.SessionState{AccessToken: "gitlab_access_token"}
 	email, err := p.GetEmailAddress(session)
 	assert.Equal(t, nil, err)
 	assert.Equal(t, "foo@bar.com", email)
 }
 func TestGitLabProviderEmailDomainInvalid(t *testing.T) {
 	b := testGitLabBackend()
 	defer b.Close()
 	bURL, _ := url.Parse(b.URL)
 	p := testGitLabProvider(bURL.Host)
 	p.AllowUnverifiedEmail = true
 	p.EmailDomains = []string{"baz.com"}
 	session := &sessions.SessionState{AccessToken: "gitlab_access_token"}
 	_, err := p.GetEmailAddress(session)
 	assert.NotEqual(t, nil, err)
 }
--- a/providers/google.go
+++ b/providers/google.go
@ -189,73 +189,44 @@ func getAdminService(adminEmail string, credentialsReader io.Reader) *admin.Serv
 }
 func userInGroup(service *admin.Service, groups []string, email string) bool {
 	user, err := fetchUser(service, email)
 	if err != nil {
 		logger.Printf("Warning: unable to fetch user: %v", err)
 		user = nil
 	}
 	for _, group := range groups {
-		members, err := fetchGroupMembers(service, group)
+		// Use the HasMember API to checking for the user's presence in each group or nested subgroups
 		req := service.Members.HasMember(group, email)
 		r, err := req.Do()
 		if err != nil {
-			if err, ok := err.(*googleapi.Error); ok && err.Code == 404 {
+			err, ok := err.(*googleapi.Error)
-				logger.Printf("error fetching members for group %s: group does not exist", group)
+			if ok && err.Code == 404 {
-			} else {
+				logger.Printf("error checking membership in group %s: group does not exist", group)
-				logger.Printf("error fetching group members: %v", err)
+			} else if ok && err.Code == 400 {
-				return false
+				// It is possible for Members.HasMember to return false even if the email is a group member.
-			}
+				// One case that can cause this is if the user email is from a different domain than the group,
-		}
+				// e.g. "member@otherdomain.com" in the group "group@mydomain.com" will result in a 400 error
 				// from the HasMember API. In that case, attempt to query the member object directly from the group.
 				req := service.Members.Get(group, email)
 				r, err := req.Do()
-		for _, member := range members {
+				if err != nil {
-			if member.Email == email {
+					logger.Printf("error using get API to check member %s of google group %s: user not in the group", email, group)
-				return true
+					continue
-			}
+				}
-			if user == nil {
+
-				continue
+				// If the non-domain user is found within the group, still verify that they are "ACTIVE".
-			}
+				// Do not count the user as belonging to a group if they have another status ("ARCHIVED", "SUSPENDED", or "UNKNOWN").
-			switch member.Type {
+				if r.Status == "ACTIVE" {
 			case "CUSTOMER":
 				if member.Id == user.CustomerId {
 					return true
 				}
 			case "USER":
 				if member.Id == user.Id {
 					return true
 				}
 			} else {
 				logger.Printf("error checking group membership: %v", err)
 			}
 			continue
 		}
 		if r.IsMember {
 			return true
 		}
 	}
 	return false
 }
 func fetchUser(service *admin.Service, email string) (*admin.User, error) {
 	user, err := service.Users.Get(email).Do()
 	return user, err
 }
 func fetchGroupMembers(service *admin.Service, group string) ([]*admin.Member, error) {
 	members := []*admin.Member{}
 	pageToken := ""
 	for {
 		req := service.Members.List(group)
 		if pageToken != "" {
 			req.PageToken(pageToken)
 		}
 		r, err := req.Do()
 		if err != nil {
 			return nil, err
 		}
 		for _, member := range r.Members {
 			members = append(members, member)
 		}
 		if r.NextPageToken == "" {
 			break
 		}
 		pageToken = r.NextPageToken
 	}
 	return members, nil
 }
 // ValidateGroup validates that the provided email exists in the configured Google
 // group(s).
 func (p *GoogleProvider) ValidateGroup(email string) bool {
--- a/providers/google_test.go
+++ b/providers/google_test.go
@ -1,6 +1,7 @@
 package providers
 import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@ -12,6 +13,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	admin "google.golang.org/api/admin/directory/v1"
 	option "google.golang.org/api/option"
 )
 func newRedeemServer(body []byte) (*url.URL, *httptest.Server) {
@ -185,34 +187,53 @@ func TestGoogleProviderGetEmailAddressEmailMissing(t *testing.T) {
 func TestGoogleProviderUserInGroup(t *testing.T) {
 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if r.URL.Path == "/users/member-by-email@example.com" {
+		if r.URL.Path == "/groups/group@example.com/hasMember/member-in-domain@example.com" {
-			fmt.Fprintln(w, "{}")
+			fmt.Fprintln(w, `{"isMember": true}`)
-		} else if r.URL.Path == "/users/non-member-by-email@example.com" {
+		} else if r.URL.Path == "/groups/group@example.com/hasMember/non-member-in-domain@example.com" {
-			fmt.Fprintln(w, "{}")
+			fmt.Fprintln(w, `{"isMember": false}`)
-		} else if r.URL.Path == "/users/member-by-id@example.com" {
+		} else if r.URL.Path == "/groups/group@example.com/hasMember/member-out-of-domain@otherexample.com" {
-			fmt.Fprintln(w, "{\"id\": \"member-id\"}")
+			http.Error(
-		} else if r.URL.Path == "/users/non-member-by-id@example.com" {
+				w,
-			fmt.Fprintln(w, "{\"id\": \"non-member-id\"}")
+				`{"error": {"errors": [{"domain": "global","reason": "invalid","message": "Invalid Input: memberKey"}],"code": 400,"message": "Invalid Input: memberKey"}}`,
-		} else if r.URL.Path == "/groups/group@example.com/members" {
+				http.StatusBadRequest,
-			fmt.Fprintln(w, "{\"members\": [{\"email\": \"member-by-email@example.com\"}, {\"id\": \"member-id\", \"type\": \"USER\"}]}")
+			)
 		} else if r.URL.Path == "/groups/group@example.com/hasMember/non-member-out-of-domain@otherexample.com" {
 			http.Error(
 				w,
 				`{"error": {"errors": [{"domain": "global","reason": "invalid","message": "Invalid Input: memberKey"}],"code": 400,"message": "Invalid Input: memberKey"}}`,
 				http.StatusBadRequest,
 			)
 		} else if r.URL.Path == "/groups/group@example.com/members/non-member-out-of-domain@otherexample.com" {
 			// note that the client currently doesn't care what this response text or code is - any error here results in failure to match the group
 			http.Error(
 				w,
 				`{"error": {"errors": [{"domain": "global","reason": "notFound","message": "Resource Not Found: memberKey"}],"code": 404,"message": "Resource Not Found: memberKey"}}`,
 				http.StatusNotFound,
 			)
 		} else if r.URL.Path == "/groups/group@example.com/members/member-out-of-domain@otherexample.com" {
 			fmt.Fprintln(w,
 				`{"kind": "admin#directory#member","etag":"12345","id":"1234567890","email": "member-out-of-domain@otherexample.com","role": "MEMBER","type": "USER","status": "ACTIVE","delivery_settings": "ALL_MAIL"}}`,
 			)
 		}
 	}))
 	defer ts.Close()
 	client := ts.Client()
-	service, err := admin.New(client)
+	ctx := context.Background()
 	service, err := admin.NewService(ctx, option.WithHTTPClient(client))
 	service.BasePath = ts.URL
 	assert.Equal(t, nil, err)
-	result := userInGroup(service, []string{"group@example.com"}, "member-by-email@example.com")
+	result := userInGroup(service, []string{"group@example.com"}, "member-in-domain@example.com")
 	assert.True(t, result)
-	result = userInGroup(service, []string{"group@example.com"}, "member-by-id@example.com")
+	result = userInGroup(service, []string{"group@example.com"}, "member-out-of-domain@otherexample.com")
 	assert.True(t, result)
-	result = userInGroup(service, []string{"group@example.com"}, "non-member-by-id@example.com")
+	result = userInGroup(service, []string{"group@example.com"}, "non-member-in-domain@example.com")
 	assert.False(t, result)
-	result = userInGroup(service, []string{"group@example.com"}, "non-member-by-email@example.com")
+	result = userInGroup(service, []string{"group@example.com"}, "non-member-out-of-domain@otherexample.com")
 	assert.False(t, result)
 }
--- a/providers/oidc.go
+++ b/providers/oidc.go
@ -3,10 +3,13 @@ package providers
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"time"
 	oidc "github.com/coreos/go-oidc"
 	"github.com/pusher/oauth2_proxy/pkg/apis/sessions"
 	"github.com/pusher/oauth2_proxy/pkg/requests"
 	"golang.org/x/oauth2"
 )
@ -117,8 +120,31 @@ func (p *OIDCProvider) createSessionState(ctx context.Context, token *oauth2.Tok
 	}
 	if claims.Email == "" {
-		// TODO: Try getting email from /userinfo before falling back to Subject
+		if p.ProfileURL.String() == "" {
-		claims.Email = claims.Subject
+			return nil, fmt.Errorf("id_token did not contain an email")
 		}
 		// If the userinfo endpoint profileURL is defined, then there is a chance the userinfo
 		// contents at the profileURL contains the email.
 		// Make a query to the userinfo endpoint, and attempt to locate the email from there.
 		req, err := http.NewRequest("GET", p.ProfileURL.String(), nil)
 		if err != nil {
 			return nil, err
 		}
 		req.Header = getOIDCHeader(token.AccessToken)
 		respJSON, err := requests.Request(req)
 		if err != nil {
 			return nil, err
 		}
 		email, err := respJSON.Get("email").String()
 		if err != nil {
 			return nil, fmt.Errorf("Neither id_token nor userinfo endpoint contained an email")
 		}
 		claims.Email = email
 	}
 	if !p.AllowUnverifiedEmail && claims.Verified != nil && !*claims.Verified {
 		return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
@ -145,3 +171,10 @@ func (p *OIDCProvider) ValidateSessionState(s *sessions.SessionState) bool {
 	return true
 }
 func getOIDCHeader(accessToken string) http.Header {
 	header := make(http.Header)
 	header.Set("Accept", "application/json")
 	header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
 	return header
 }
--- a/providers/providers.go
+++ b/providers/providers.go
@ -38,6 +38,8 @@ func New(provider string, p *ProviderData) Provider {
 		return NewOIDCProvider(p)
 	case "login.gov":
 		return NewLoginGovProvider(p)
 	case "bitbucket":
 		return NewBitbucketProvider(p)
 	default:
 		return NewGoogleProvider(p)
 	}