meutel/oauth2_proxy
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Ensure groups in JWT Bearer tokens are also validated

Browse Source 
Fix a minor auth logging bug
This commit is contained in:
Brian Van Klaveren 2019-06-20 13:40:04 -07:00
parent 058ffd1047
commit bd651df3c2
1 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
oauthproxy.go
View File

@ -650,7 +650,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
} }
http.Redirect(rw, req, redirect, 302) http.Redirect(rw, req, redirect, 302)
} else { } else {
logger.PrintAuthf(session.Email, req, logger.AuthSuccess, "Invalid authentication via OAuth2: unauthorized") logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: unauthorized")
p.ErrorPage(rw, 403, "Permission Denied", "Invalid Account") p.ErrorPage(rw, 403, "Permission Denied", "Invalid Account")
} }
} }
@ -759,11 +759,13 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R
} }
} }
if session != nil && session.Email != "" && !p.Validator(session.Email) { if session != nil && session.Email != "" {
logger.Printf(session.Email, req, logger.AuthFailure, "Invalid authentication via session: removing session %s", session) if !p.Validator(session.Email) || !p.provider.ValidateGroup(session.Email) {
session = nil logger.Printf(session.Email, req, logger.AuthFailure, "Invalid authentication via session: removing session %s", session)
saveSession = false session = nil
clearSession = true saveSession = false
clearSession = true
}
} }
if saveSession && session != nil { if saveSession && session != nil {