Merge pull request #122 from costelmoraru/expose_cookie_path
Expose -cookie-path as configuration parameter
This commit is contained in:
commit
bd64aeb7ee
@ -18,6 +18,7 @@
|
|||||||
- [#41](https://github.com/pusher/oauth2_proxy/pull/41) Added option to manually specify OIDC endpoints instead of relying on discovery
|
- [#41](https://github.com/pusher/oauth2_proxy/pull/41) Added option to manually specify OIDC endpoints instead of relying on discovery
|
||||||
- [#83](https://github.com/pusher/oauth2_proxy/pull/83) Add `id_token` refresh to Google provider (@leki75)
|
- [#83](https://github.com/pusher/oauth2_proxy/pull/83) Add `id_token` refresh to Google provider (@leki75)
|
||||||
- [#10](https://github.com/pusher/oauth2_proxy/pull/10) fix redirect url param handling (@dt-rush)
|
- [#10](https://github.com/pusher/oauth2_proxy/pull/10) fix redirect url param handling (@dt-rush)
|
||||||
|
- [#122](https://github.com/pusher/oauth2_proxy/pull/122) Expose -cookie-path as configuration parameter (@costelmoraru)
|
||||||
|
|
||||||
# v3.1.0
|
# v3.1.0
|
||||||
|
|
||||||
|
@ -172,12 +172,12 @@ OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many ma
|
|||||||
login.gov is an OIDC provider for the US Government.
|
login.gov is an OIDC provider for the US Government.
|
||||||
If you are a US Government agency, you can contact the login.gov team through the contact information
|
If you are a US Government agency, you can contact the login.gov team through the contact information
|
||||||
that you can find on https://login.gov/developers/ and work with them to understand how to get login.gov
|
that you can find on https://login.gov/developers/ and work with them to understand how to get login.gov
|
||||||
accounts for integration/test and production access.
|
accounts for integration/test and production access.
|
||||||
|
|
||||||
A developer guide is available here: https://developers.login.gov/, though this proxy handles everything
|
A developer guide is available here: https://developers.login.gov/, though this proxy handles everything
|
||||||
but the data you need to create to register your application in the login.gov dashboard.
|
but the data you need to create to register your application in the login.gov dashboard.
|
||||||
|
|
||||||
As a demo, we will assume that you are running your application that you want to secure locally on
|
As a demo, we will assume that you are running your application that you want to secure locally on
|
||||||
http://localhost:3000/, that you will be starting your proxy up on http://localhost:4180/, and that
|
http://localhost:3000/, that you will be starting your proxy up on http://localhost:4180/, and that
|
||||||
you have an agency integration account for testing.
|
you have an agency integration account for testing.
|
||||||
|
|
||||||
@ -261,6 +261,7 @@ Usage of oauth2_proxy:
|
|||||||
-client-secret string: the OAuth Client Secret
|
-client-secret string: the OAuth Client Secret
|
||||||
-config string: path to config file
|
-config string: path to config file
|
||||||
-cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)
|
-cookie-domain string: an optional cookie domain to force cookies to (ie: .yourcompany.com)
|
||||||
|
-cookie-path string: an optional cookie path to force cookies to (ie: /foo)
|
||||||
-cookie-expire duration: expire timeframe for cookie (default 168h0m0s)
|
-cookie-expire duration: expire timeframe for cookie (default 168h0m0s)
|
||||||
-cookie-httponly: set HttpOnly cookie flag (default true)
|
-cookie-httponly: set HttpOnly cookie flag (default true)
|
||||||
-cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")
|
-cookie-name string: the name of the cookie that the oauth_proxy creates (default "_oauth2_proxy")
|
||||||
@ -336,6 +337,7 @@ The following environment variables can be used in place of the corresponding co
|
|||||||
- `OAUTH2_PROXY_COOKIE_NAME`
|
- `OAUTH2_PROXY_COOKIE_NAME`
|
||||||
- `OAUTH2_PROXY_COOKIE_SECRET`
|
- `OAUTH2_PROXY_COOKIE_SECRET`
|
||||||
- `OAUTH2_PROXY_COOKIE_DOMAIN`
|
- `OAUTH2_PROXY_COOKIE_DOMAIN`
|
||||||
|
- `OAUTH2_PROXY_COOKIE_PATH`
|
||||||
- `OAUTH2_PROXY_COOKIE_EXPIRE`
|
- `OAUTH2_PROXY_COOKIE_EXPIRE`
|
||||||
- `OAUTH2_PROXY_COOKIE_REFRESH`
|
- `OAUTH2_PROXY_COOKIE_REFRESH`
|
||||||
- `OAUTH2_PROXY_SIGNATURE_KEY`
|
- `OAUTH2_PROXY_SIGNATURE_KEY`
|
||||||
@ -412,7 +414,7 @@ The command line to run `oauth2_proxy` in this configuration would look like thi
|
|||||||
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The `/oauth2` prefix can be changed with the `--proxy-prefix` config variable.
|
OAuth2 Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated. The `/oauth2` prefix can be changed with the `--proxy-prefix` config variable.
|
||||||
|
|
||||||
- /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
|
- /robots.txt - returns a 200 OK response that disallows all User-agents from all paths; see [robotstxt.org](http://www.robotstxt.org/) for more info
|
||||||
- /ping - returns a 200 OK response, which is intended for use with health checks
|
- /ping - returns a 200 OK response, which is intended for use with health checks
|
||||||
- /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
|
- /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
|
||||||
- /oauth2/start - a URL that will redirect to start the OAuth cycle
|
- /oauth2/start - a URL that will redirect to start the OAuth cycle
|
||||||
- /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
|
- /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this as the callback url.
|
||||||
|
1
main.go
1
main.go
@ -69,6 +69,7 @@ func main() {
|
|||||||
flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates")
|
flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates")
|
||||||
flagSet.String("cookie-secret", "", "the seed string for secure cookies (optionally base64 encoded)")
|
flagSet.String("cookie-secret", "", "the seed string for secure cookies (optionally base64 encoded)")
|
||||||
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
|
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
|
||||||
|
flagSet.String("cookie-path", "/", "an optional cookie path to force cookies to (ie: /poc/)*")
|
||||||
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
|
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
|
||||||
flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie after this duration; 0 to disable")
|
flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie after this duration; 0 to disable")
|
||||||
flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
|
flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
|
||||||
|
@ -56,6 +56,7 @@ type OAuthProxy struct {
|
|||||||
CookieName string
|
CookieName string
|
||||||
CSRFCookieName string
|
CSRFCookieName string
|
||||||
CookieDomain string
|
CookieDomain string
|
||||||
|
CookiePath string
|
||||||
CookieSecure bool
|
CookieSecure bool
|
||||||
CookieHTTPOnly bool
|
CookieHTTPOnly bool
|
||||||
CookieExpire time.Duration
|
CookieExpire time.Duration
|
||||||
@ -214,7 +215,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
|
|||||||
refresh = fmt.Sprintf("after %s", opts.CookieRefresh)
|
refresh = fmt.Sprintf("after %s", opts.CookieRefresh)
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHTTPOnly, opts.CookieExpire, opts.CookieDomain, refresh)
|
log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s path:%s refresh:%s", opts.CookieName, opts.CookieSecure, opts.CookieHTTPOnly, opts.CookieExpire, opts.CookieDomain, opts.CookiePath, refresh)
|
||||||
|
|
||||||
var cipher *cookie.Cipher
|
var cipher *cookie.Cipher
|
||||||
if opts.PassAccessToken || opts.SetAuthorization || opts.PassAuthorization || (opts.CookieRefresh != time.Duration(0)) {
|
if opts.PassAccessToken || opts.SetAuthorization || opts.PassAuthorization || (opts.CookieRefresh != time.Duration(0)) {
|
||||||
@ -230,6 +231,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
|
|||||||
CSRFCookieName: fmt.Sprintf("%v_%v", opts.CookieName, "csrf"),
|
CSRFCookieName: fmt.Sprintf("%v_%v", opts.CookieName, "csrf"),
|
||||||
CookieSeed: opts.CookieSecret,
|
CookieSeed: opts.CookieSecret,
|
||||||
CookieDomain: opts.CookieDomain,
|
CookieDomain: opts.CookieDomain,
|
||||||
|
CookiePath: opts.CookiePath,
|
||||||
CookieSecure: opts.CookieSecure,
|
CookieSecure: opts.CookieSecure,
|
||||||
CookieHTTPOnly: opts.CookieHTTPOnly,
|
CookieHTTPOnly: opts.CookieHTTPOnly,
|
||||||
CookieExpire: opts.CookieExpire,
|
CookieExpire: opts.CookieExpire,
|
||||||
@ -430,7 +432,7 @@ func (p *OAuthProxy) makeCookie(req *http.Request, name string, value string, ex
|
|||||||
return &http.Cookie{
|
return &http.Cookie{
|
||||||
Name: name,
|
Name: name,
|
||||||
Value: value,
|
Value: value,
|
||||||
Path: "/",
|
Path: p.CookiePath,
|
||||||
Domain: p.CookieDomain,
|
Domain: p.CookieDomain,
|
||||||
HttpOnly: p.CookieHTTPOnly,
|
HttpOnly: p.CookieHTTPOnly,
|
||||||
Secure: p.CookieSecure,
|
Secure: p.CookieSecure,
|
||||||
|
@ -49,6 +49,7 @@ type Options struct {
|
|||||||
CookieName string `flag:"cookie-name" cfg:"cookie_name" env:"OAUTH2_PROXY_COOKIE_NAME"`
|
CookieName string `flag:"cookie-name" cfg:"cookie_name" env:"OAUTH2_PROXY_COOKIE_NAME"`
|
||||||
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`
|
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`
|
||||||
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"OAUTH2_PROXY_COOKIE_DOMAIN"`
|
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"OAUTH2_PROXY_COOKIE_DOMAIN"`
|
||||||
|
CookiePath string `flag:"cookie-path" cfg:"cookie_path" env:"OAUTH2_PROXY_COOKIE_PATH"`
|
||||||
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"OAUTH2_PROXY_COOKIE_EXPIRE"`
|
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"OAUTH2_PROXY_COOKIE_EXPIRE"`
|
||||||
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"OAUTH2_PROXY_COOKIE_REFRESH"`
|
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"OAUTH2_PROXY_COOKIE_REFRESH"`
|
||||||
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure" env:"OAUTH2_PROXY_COOKIE_SECURE"`
|
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure" env:"OAUTH2_PROXY_COOKIE_SECURE"`
|
||||||
|
Loading…
Reference in New Issue
Block a user