diff --git a/CHANGELOG.md b/CHANGELOG.md index 889dd78..b72f7c1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,28 @@ # Vx.x.x (Pre-release) +## Changes since v3.1.0 + +# v3.1.0 + +## Release highlights + +- Introduction of ARM releases and and general improvements to Docker builds +- Improvements to OIDC provider allowing pass-through of ID Tokens +- Multiple redirect domains can now be whitelisted +- Streamed responses are now flushed periodically + +## Important notes + +- If you have been using [#bitly/621](https://github.com/bitly/oauth2_proxy/pull/621) + and have cookies larger than the 4kb limit, + the cookie splitting pattern has changed and now uses `_` in place of `-` when + indexing cookies. + This will force users to reauthenticate the first time they use `v3.1.0`. +- Streamed responses will now be flushed every 1 second by default. + Previously streamed responses were flushed only when the buffer was full. + To retain the old behaviour set `--flush-interval=0`. + See [#23](https://github.com/pusher/oauth2_proxy/pull/23) for further details. + ## Changes since v3.0.0 - [#14](https://github.com/pusher/oauth2_proxy/pull/14) OIDC ID Token, Authorization Headers, Refreshing and Verification (@joelspeed) @@ -7,12 +30,12 @@ - Implement token refreshing in OIDC provider - Split cookies larger than 4k limit into multiple cookies - Implement token validation in OIDC provider -- [#15](https://github.com/pusher/oauth2_proxy/pull/21) WhitelistDomains (@joelspeed) +- [#15](https://github.com/pusher/oauth2_proxy/pull/15) WhitelistDomains (@joelspeed) - Add `--whitelist-domain` flag to allow redirection to approved domains after OAuth flow - [#21](https://github.com/pusher/oauth2_proxy/pull/21) Docker Improvement (@yaegashi) - Move Docker base image from debian to alpine - Install ca-certificates in docker image -- [#23](https://github.com/pusher/oauth2_proxy/pull/21) Flushed streaming responses +- [#23](https://github.com/pusher/oauth2_proxy/pull/23) Flushed streaming responses - Long-running upstream responses will get flushed every (1 second by default) - [#24](https://github.com/pusher/oauth2_proxy/pull/24) Redirect fix (@agentgonzo) - After a successful login, you will be redirected to your original URL rather than / diff --git a/Makefile b/Makefile index 7192823..b04d139 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ include .env BINARY := oauth2_proxy -VERSION := $(shell git describe --always --long --dirty --tags 2>/dev/null || echo "undefined") +VERSION := $(shell git describe --always --dirty --tags 2>/dev/null || echo "undefined") .NOTPARALLEL: .PHONY: all @@ -47,17 +47,31 @@ $(BINARY): .PHONY: docker docker: - docker build -f Dockerfile -t pusher/oauth2_proxy:latest . + docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:latest . .PHONY: docker-all docker-all: docker - docker build -f Dockerfile -t pusher/oauth2_proxy:latest-amd64 . - docker build -f Dockerfile -t pusher/oauth2_proxy:${VERSION} . - docker build -f Dockerfile -t pusher/oauth2_proxy:${VERSION}-amd64 . - docker build -f Dockerfile.arm64 -t pusher/oauth2_proxy:latest-arm64 . - docker build -f Dockerfile.arm64 -t pusher/oauth2_proxy:${VERSION}-arm64 . - docker build -f Dockerfile.armv6 -t pusher/oauth2_proxy:latest-armv6 . - docker build -f Dockerfile.armv6 -t pusher/oauth2_proxy:${VERSION}-armv6 . + docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:latest-amd64 . + docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:${VERSION} . + docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:${VERSION}-amd64 . + docker build -f Dockerfile.arm64 -t quay.io/pusher/oauth2_proxy:latest-arm64 . + docker build -f Dockerfile.arm64 -t quay.io/pusher/oauth2_proxy:${VERSION}-arm64 . + docker build -f Dockerfile.armv6 -t quay.io/pusher/oauth2_proxy:latest-armv6 . + docker build -f Dockerfile.armv6 -t quay.io/pusher/oauth2_proxy:${VERSION}-armv6 . + +.PHONY: docker-push +docker-push: + docker push quay.io/pusher/oauth2_proxy:latest + +.PHONY: docker-push-all +docker-push-all: docker-push + docker push quay.io/pusher/oauth2_proxy:latest-amd64 + docker push quay.io/pusher/oauth2_proxy:${VERSION} + docker push quay.io/pusher/oauth2_proxy:${VERSION}-amd64 + docker push quay.io/pusher/oauth2_proxy:latest-arm64 + docker push quay.io/pusher/oauth2_proxy:${VERSION}-arm64 + docker push quay.io/pusher/oauth2_proxy:latest-armv6 + docker push quay.io/pusher/oauth2_proxy:${VERSION}-armv6 .PHONY: test test: dep lint diff --git a/README.md b/README.md index 524ba9b..9a7727f 100644 --- a/README.md +++ b/README.md @@ -19,17 +19,17 @@ A list of changes can be seen in the [CHANGELOG](CHANGELOG.md). 1. Choose how to deploy: - a. Download [Prebuilt Binary](https://github.com/pusher/oauth2_proxy/releases) (current release is `v3.0.0`) + a. Download [Prebuilt Binary](https://github.com/pusher/oauth2_proxy/releases) (current release is `v3.1.0`) b. Build with `$ go get github.com/pusher/oauth2_proxy` which will put the binary in `$GOROOT/bin` - c. Using the prebuilt docker image [quay.io/pusher/oauth2_proxy](https://quay.io/pusher/oauth2_proxy) + c. Using the prebuilt docker image [quay.io/pusher/oauth2_proxy](https://quay.io/pusher/oauth2_proxy) (AMD64, ARMv6 and ARM64 tags available) Prebuilt binaries can be validated by extracting the file and verifying it against the `sha256sum.txt` checksum file provided for each release starting with version `v3.0.0`. ``` sha256sum -c sha256sum.txt 2>&1 | grep OK -oauth2_proxy-3.0.0.linux-amd64: OK +oauth2_proxy-3.1.0.linux-amd64: OK ``` 2. Select a Provider and Register an OAuth Application with a Provider @@ -203,6 +203,7 @@ Usage of oauth2_proxy: -custom-templates-dir string: path to custom html templates -display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true) -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email + -flush-interval: period between flushing response buffers when streaming responses (default "1s") -footer string: custom footer string. Use "-" to disable default footer. -github-org string: restrict logins to members of this organisation -github-team string: restrict logins to members of any of these teams (slug), separated by a comma @@ -481,19 +482,19 @@ server { auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; - # When using the --set-authorization flag, some provider's cookies can exceed the 4kb - # limit and so the OAuth2 Proxy splits these into multiple parts. + # When using the --set-authorization flag, some provider's cookies can exceed the 4kb + # limit and so the OAuth2 Proxy splits these into multiple parts. # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response, # so if your cookies are larger than 4kb, you will need to extract additional cookies manually. auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1; - + # Extract the Cookie attributes from the first Set-Cookie header and append them # to the second part ($upstream_cookie_* variables only contain the raw cookie content) if ($auth_cookie ~* "(; .*)") { - set $auth_cookie_name_0 $auth_cookie; + set $auth_cookie_name_0 $auth_cookie; set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1"; } - + # Send both Set-Cookie headers now if there was a second part if ($auth_cookie_name_upstream_1) { add_header Set-Cookie $auth_cookie_name_0;