From 071d17b521d3652380f02ecf80849712bec02526 Mon Sep 17 00:00:00 2001 From: Costel Moraru Date: Wed, 10 Apr 2019 00:36:35 +0300 Subject: [PATCH 1/4] Expose -cookie-path as configuration parameter --- main.go | 1 + oauthproxy.go | 6 ++++-- options.go | 1 + 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/main.go b/main.go index 0989067..ac9f80f 100644 --- a/main.go +++ b/main.go @@ -69,6 +69,7 @@ func main() { flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates") flagSet.String("cookie-secret", "", "the seed string for secure cookies (optionally base64 encoded)") flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*") + flagSet.String("cookie-path", "/", "an optional cookie path to force cookies to (ie: /poc/)*") flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie") flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie after this duration; 0 to disable") flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag") diff --git a/oauthproxy.go b/oauthproxy.go index 24fea21..17767ad 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -56,6 +56,7 @@ type OAuthProxy struct { CookieName string CSRFCookieName string CookieDomain string + CookiePath string CookieSecure bool CookieHTTPOnly bool CookieExpire time.Duration @@ -214,7 +215,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy { refresh = fmt.Sprintf("after %s", opts.CookieRefresh) } - log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHTTPOnly, opts.CookieExpire, opts.CookieDomain, refresh) + log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s path:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHTTPOnly, opts.CookieExpire, opts.CookieDomain, opts.CookiePath, refresh) var cipher *cookie.Cipher if opts.PassAccessToken || opts.SetAuthorization || opts.PassAuthorization || (opts.CookieRefresh != time.Duration(0)) { @@ -230,6 +231,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy { CSRFCookieName: fmt.Sprintf("%v_%v", opts.CookieName, "csrf"), CookieSeed: opts.CookieSecret, CookieDomain: opts.CookieDomain, + CookiePath: opts.CookiePath, CookieSecure: opts.CookieSecure, CookieHTTPOnly: opts.CookieHTTPOnly, CookieExpire: opts.CookieExpire, @@ -430,7 +432,7 @@ func (p *OAuthProxy) makeCookie(req *http.Request, name string, value string, ex return &http.Cookie{ Name: name, Value: value, - Path: "/", + Path: p.CookiePath, Domain: p.CookieDomain, HttpOnly: p.CookieHTTPOnly, Secure: p.CookieSecure, diff --git a/options.go b/options.go index b736521..620d626 100644 --- a/options.go +++ b/options.go @@ -49,6 +49,7 @@ type Options struct { CookieName string `flag:"cookie-name" cfg:"cookie_name" env:"OAUTH2_PROXY_COOKIE_NAME"` CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"` CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"OAUTH2_PROXY_COOKIE_DOMAIN"` + CookiePath string `flag:"cookie-path" cfg:"cookie_path" env:"OAUTH2_PROXY_COOKIE_PATH"` CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"OAUTH2_PROXY_COOKIE_EXPIRE"` CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"OAUTH2_PROXY_COOKIE_REFRESH"` CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure" env:"OAUTH2_PROXY_COOKIE_SECURE"` From f5f64e7d6c0c8ba82e2627ad5d70e89b41fa46e3 Mon Sep 17 00:00:00 2001 From: Costel Moraru Date: Wed, 10 Apr 2019 00:42:17 +0300 Subject: [PATCH 2/4] Update the changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c36c201..e2d38df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ - [#41](https://github.com/pusher/oauth2_proxy/pull/41) Added option to manually specify OIDC endpoints instead of relying on discovery - [#83](https://github.com/pusher/oauth2_proxy/pull/83) Add `id_token` refresh to Google provider (@leki75) - [#10](https://github.com/pusher/oauth2_proxy/pull/10) fix redirect url param handling (@dt-rush) +- [#122](https://github.com/pusher/oauth2_proxy/pull/122) Expose -cookie-path as configuration parameter (@costelmoraru) # v3.1.0 From dc8934ca930a09eb2e19a5ee709a8b3642ad74a9 Mon Sep 17 00:00:00 2001 From: Costel Moraru Date: Wed, 10 Apr 2019 12:52:50 +0300 Subject: [PATCH 3/4] Update documentation, to add the flag to the list of flags --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 0a9cacb..65df515 100644 --- a/README.md +++ b/README.md @@ -172,12 +172,12 @@ OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many ma login.gov is an OIDC provider for the US Government. If you are a US Government agency, you can contact the login.gov team through the contact information that you can find on https://login.gov/developers/ and work with them to understand how to get login.gov -accounts for integration/test and production access. +accounts for integration/test and production access. A developer guide is available here: https://developers.login.gov/, though this proxy handles everything but the data you need to create to register your application in the login.gov dashboard. -As a demo, we will assume that you are running your application that you want to secure locally on +As a demo, we will assume that you are running your application that you want to secure locally on http://localhost:3000/, that you will be starting your proxy up on http://localhost:4180/, and that you have an agency integration account for testing. @@ -261,6 +261,7 @@ Usage of oauth2_proxy: -client-secret string: the OAuth Client Secret -config string: path to config file -cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com) + -cookie-path string: an optional cookie path to force cookies to (ie: .yourcompany.com/foo) -cookie-expire duration: expire timeframe for cookie (default 168h0m0s) -cookie-httponly: set HttpOnly cookie flag (default true) -cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy") @@ -336,6 +337,7 @@ The following environment variables can be used in place of the corresponding co - `OAUTH2_PROXY_COOKIE_NAME` - `OAUTH2_PROXY_COOKIE_SECRET` - `OAUTH2_PROXY_COOKIE_DOMAIN` +- `OAUTH2_PROXY_COOKIE_PATH` - `OAUTH2_PROXY_COOKIE_EXPIRE` - `OAUTH2_PROXY_COOKIE_REFRESH` - `OAUTH2_PROXY_SIGNATURE_KEY` @@ -412,7 +414,7 @@ The command line to run `oauth2_proxy` in this configuration would look like thi OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The `/oauth2` prefix can be changed with the `--proxy-prefix` config variable. - /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info -- /ping - returns a 200 OK response, which is intended for use with health checks +- /ping - returns a 200 OK response, which is intended for use with health checks - /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies) - /oauth2/start - a URL that will redirect to start the OAuth cycle - /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url. From 862e75a4e4a77fcbc0e036a835c45ec3c09c8c88 Mon Sep 17 00:00:00 2001 From: Costel Moraru Date: Wed, 10 Apr 2019 14:50:19 +0300 Subject: [PATCH 4/4] Adjusted the cookie path sample in the documentation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 65df515..55f7c34 100644 --- a/README.md +++ b/README.md @@ -261,7 +261,7 @@ Usage of oauth2_proxy: -client-secret string: the OAuth Client Secret -config string: path to config file -cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com) - -cookie-path string: an optional cookie path to force cookies to (ie: .yourcompany.com/foo) + -cookie-path string: an optional cookie path to force cookies to (ie: /foo) -cookie-expire duration: expire timeframe for cookie (default 168h0m0s) -cookie-httponly: set HttpOnly cookie flag (default true) -cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")