diff --git a/.travis.yml b/.travis.yml index c0db4d0..8c830da 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,7 +1,7 @@ language: go go: - 1.7.5 - - 1.8 + - 1.8.1 script: - curl -s https://raw.githubusercontent.com/pote/gpm/v1.4.0/bin/gpm > gpm - chmod +x gpm diff --git a/README.md b/README.md index 68a8138..be73f36 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,6 @@ oauth2_proxy ================= -(This project was renamed from Google Auth Proxy - May 2015) - A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group. @@ -17,7 +15,7 @@ to validate accounts by email, domain or group. ## Installation -1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) (current release is `v2.1`) or build with `$ go get github.com/bitly/oauth2_proxy` which will put the binary in `$GOROOT/bin` +1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) (current release is `v2.2`) or build with `$ go get github.com/bitly/oauth2_proxy` which will put the binary in `$GOROOT/bin` 2. Select a Provider and Register an OAuth Application with a Provider 3. Configure OAuth2 Proxy using config file, command line options, or environment variables 4. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx) @@ -159,54 +157,56 @@ An example [oauth2_proxy.cfg](contrib/oauth2_proxy.cfg.example) config file is i ``` Usage of oauth2_proxy: - -approval-prompt="force": Oauth approval_prompt - -authenticated-emails-file="": authenticate against emails via file (one per line) - -azure-tenant="common": go to a tenant-specific or common (tenant-independent) endpoint. - -basic-auth-password="": the password to set when passing the HTTP Basic Auth header - -client-id="": the OAuth Client ID: ie: "123456.apps.googleusercontent.com" - -client-secret="": the OAuth Client Secret - -config="": path to config file - -cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)* - -cookie-expire=168h0m0s: expire timeframe for cookie - -cookie-httponly=true: set HttpOnly cookie flag - -cookie-name="_oauth2_proxy": the name of the cookie that the oauth_proxy creates - -cookie-refresh=0: refresh the cookie after this duration; 0 to disable - -cookie-secret="": the seed string for secure cookies - -cookie-secure=true: set secure (HTTPS) cookie flag - -custom-templates-dir="": path to custom html templates - -display-htpasswd-form=true: display username / password login form if an htpasswd file is provided - -email-domain=: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email - -github-org="": restrict logins to members of this organisation - -github-team="": restrict logins to members of this team - -google-admin-email="": the google admin to impersonate for api calls - -google-group=: restrict logins to members of this google group (may be given multiple times). - -google-service-account-json="": the path to the service account json credentials - -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption - -http-address="127.0.0.1:4180": [http://]: or unix:// to listen on for HTTP clients - -https-address=":443": : to listen on for HTTPS clients - -login-url="": Authentication endpoint - -pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header - -pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream - -pass-user-headers=true: pass X-Forwarded-User and X-Forwarded-Email information to upstream - -pass-host-header=true: pass the request Host Header to upstream - -profile-url="": Profile access endpoint - -provider="google": OAuth provider - -proxy-prefix="/oauth2": the url root path that this proxy should be nested under (e.g. //sign_in) - -redeem-url="": Token redemption endpoint - -redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback" - -resource="": the resource that is being protected. ie: "https://graph.windows.net". Currently only used in the Azure provider. - -request-logging=true: Log requests to stdout - -scope="": Oauth scope specification - -signature-key="": GAP-Signature request signature key (algorithm:secretkey) - -skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times) - -skip-auth-preflight=false: bypass authentication for OPTIONAL requests so preflight requests could succeed when using CORS - -skip-provider-button=false: will skip sign-in-page to directly reach the next step: oauth/start + -approval-prompt string: OAuth approval_prompt (default "force") + -authenticated-emails-file string: authenticate against emails via file (one per line) + -azure-tenant string: go to a tenant-specific or common (tenant-independent) endpoint. (default "common") + -basic-auth-password string: the password to set when passing the HTTP Basic Auth header + -client-id string: the OAuth Client ID: ie: "123456.apps.googleusercontent.com" + -client-secret string: the OAuth Client Secret + -config string: path to config file + -cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)* + -cookie-expire duration: expire timeframe for cookie (default 168h0m0s) + -cookie-httponly: set HttpOnly cookie flag (default true) + -cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy") + -cookie-refresh duration: refresh the cookie after this duration; 0 to disable + -cookie-secret string: the seed string for secure cookies (optionally base64 encoded) + -cookie-secure: set secure (HTTPS) cookie flag (default true) + -custom-templates-dir string: path to custom html templates + -display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true) + -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email + -footer string: custom footer string. Use "-" to disable default footer. + -github-org string: restrict logins to members of this organisation + -github-team string: restrict logins to members of this team + -google-admin-email string: the google admin to impersonate for api calls + -google-group value: restrict logins to members of this google group (may be given multiple times). + -google-service-account-json string: the path to the service account json credentials + -htpasswd-file string: additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption + -http-address string: [http://]: or unix:// to listen on for HTTP clients (default "127.0.0.1:4180") + -https-address string: : to listen on for HTTPS clients (default ":443") + -login-url string: Authentication endpoint + -pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header + -pass-basic-auth: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true) + -pass-host-header: pass the request Host Header to upstream (default true) + -pass-user-headers: pass X-Forwarded-User and X-Forwarded-Email information to upstream (default true) + -profile-url string: Profile access endpoint + -provider string: OAuth provider (default "google") + -proxy-prefix string: the url root path that this proxy should be nested under (e.g. //sign_in) (default "/oauth2") + -redeem-url string: Token redemption endpoint + -redirect-url string: the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback" + -request-logging: Log requests to stdout (default true) + -resource string: The resource that is protected (Azure AD only) + -scope string: OAuth scope specification + -set-xauthrequest: set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode) + -signature-key string: GAP-Signature request signature key (algorithm:secretkey) + -skip-auth-preflight: will skip authentication for OPTIONS requests + -skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times) + -skip-provider-button: will skip sign-in-page to directly reach the next step: oauth/start -ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS - -tls-cert="": path to certificate file - -tls-key="": path to private key file - -upstream=: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path - -validate-url="": Access token validation endpoint - -version=false: print version string + -tls-cert string: path to certificate file + -tls-key string: path to private key file + -upstream value: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path + -validate-url string: Access token validation endpoint + -version: print version string ``` See below for provider specific options diff --git a/version.go b/version.go index 954119f..b6074ba 100644 --- a/version.go +++ b/version.go @@ -1,3 +1,3 @@ package main -const VERSION = "2.2.0-alpha" +const VERSION = "2.2.0"