Add a new provider for Bitbucket,
can be configured from the options
specifying team and/or repository
that the user must be part/have access
to in order to grant login.
* Initial version of OIDC based GitLab provider
* Add support for email domain check to GitLab provider
* Add gitlab.com as default issuer for GitLab provider
* Update documentation for GitLab provider
* Update unit tests for new GitLab provider implementation
* Update CHANGELOG for GitLab provider
* Rename GitLab test access token as response to linter
* Check Google group membership with hasMember and get.
This PR is an enhancement built on
https://github.com/pusher/oauth2_proxy/pull/160. That PR reduces the
number of calls to the Google Admin API and simplifies the code by
using the hasMember method. It also supports checking membership in
nested groups.
However, the above message doesn't handle members who are not a part
of the domain. The hasMember API returns a 400 for that case. As a
fallback, when the API returns a 400, this change will try using the
`get` API which works as expected for members who aren't a part of the
domain. Supporting members who belong to the Google group but aren't
part of the domain is a requested feature from
https://github.com/pusher/oauth2_proxy/issues/95.
https://developers.google.com/admin-sdk/directory/v1/reference/members/get
Note that nested members who are not a part of the domain will not be
correctly detected with this change.
* Update CHANGELOG.
* Fix incorrect JSON and stop escaping strings.
* Add comments for each scenario.
* Current OIDC implementation asserts that user email check must come
from JWT token claims. OIDC specification also allows for source
of user email to be fetched from userinfo profile endpoint.
http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
* First, attempt to retrieve email from JWT token claims. Then fall back to
requesting email from userinfo endpoint.
* Don't fallback to subject for email
https://github.com/bitly/oauth2_proxy/pull/481
Fix an unsupported protocol scheme error when validating tokens by
ensuring that the ValidateURL generates a non-empty string. The Azure
provider doesn't define any ValidateURL and therefore uses the default
value of `url.Parse("")` which is not `nil`.
The following log summary shows the issue:
2019/06/14 12:26:04 oauthproxy.go:799: 10.244.1.3:34112 ("10.244.1.1") refreshing 16h26m29s old session cookie for Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true} (refresh after 1h0m0s)
2019/06/14 12:26:04 internal_util.go:60: GET ?access_token=eyJ0...
2019/06/14 12:26:04 internal_util.go:61: token validation request failed: Get ?access_token=eyJ0...: unsupported protocol scheme ""
2019/06/14 12:26:04 oauthproxy.go:822: 10.244.1.3:34112 ("10.244.1.1") removing session. error validating Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true}
* Use encoding/json for SessionState serialization
In order to make it easier to extend in future.
* Store only email and user in cookie when cipher is unavailable
This improves safety and robustness, and also preserves the existing
behaviour.
* Add TestEncodeSessionState/TestDecodeSessionState
Use the test vectors with JSON encoding just introduced.
* Support session state encoding in older versions
* Add test cases for legacy session state strings
* Add check for wrong expiration time in session state strings
* Avoid exposing time.Time zero value when encoding session state string
* Update CHANGELOG.md
* first stab at login.gov provider
* fixing bugs now that I think I understand things better
* fixing up dependencies
* remove some debug stuff
* Fixing all dependencies to point at my fork
* forgot to hit save on the github rehome here
* adding options for setting keys and so on, use JWT workflow instead of PKCE
* forgot comma
* was too aggressive with search/replace
* need JWTKey to be byte array
* removed custom refresh stuff
* do our own custom jwt claim and store it in the normal session store
* golang json types are strange
* I have much to learn about golang
* fix time and signing key
* add http lib
* fixed claims up since we don't need custom claims
* add libs
* forgot ioutil
* forgot ioutil
* moved back to pusher location
* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov
* update dependencies
* do JWTs properly
* finished oidc flow, fixed up tests to work better
* updated comments, added test that we set expiresOn properly
* got confused with header and post vs get
* clean up debug and test dir
* add login.gov to README, remove references to my repo
* forgot to remove un-needed code
* can use sample_key* instead of generating your own
* updated changelog
* apparently golint wants comments like this
* linter wants non-standard libs in a separate grouping
* Update options.go
Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>
* Update options.go
Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>
* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback
* github doesn't seem to do gofmt when merging. :-)
* update CODEOWNERS
* check the nonce
* validate the JWT fully
* forgot to add pubjwk-url to README
* unexport the struct
* fix up the err masking that travis found
* update nonce comment by request of @JoelSpeed
* argh. Thought I'd formatted the merge properly, but apparently not.
* fixed test to not fail if the query time was greater than zero
For some GHE instances where a user can have more than 100
organizations, traversing the other pages is important otherwise
oauth2_proxy will consider the user unauthorized. This change traverses
the list returned by the API to avoid that.
Update github provider tests to include this case.
- Save both user and email in session state:
Encoding/decoding methods save both email and user
field in session state, for use cases when User is not derived from
email's local-parth, like for GitHub provider.
For retrocompatibility, if no user is obtained by the provider,
(e.g. User is an empty string) the encoding/decoding methods fall back
to the previous behavior and use the email's local-part
Updated also related tests and added two more tests to show behavior
when session contains a non-empty user value.
- Added first basic GitHub provider tests
- Added GetUserName method to Provider interface
The new GetUserName method is intended to return the User
value when this is not the email's local-part.
Added also the default implementation to provider_default.go
- Added call to GetUserName in redeemCode
the new GetUserName method is used in redeemCode
to get SessionState User value.
For backward compatibility, if GetUserName error is
"not implemented", the error is ignored.
- Added GetUserName method and tests to github provider.
Henry Jenkins
aledeganopix4d
Ryan Luckie
Alexander Overvoorde
Justin Palpant
Karel Pokorny
Ryan Luckie
Joel Speed
Daryl Finlay
Brian Van Klaveren
Jonas Fonseca
Benjamin Chess
Phil Taprogge
MisterWil
Costel Moraru
Carlos Alexandro Becker
YAEGASHI Takeshi
Tim Spencer
Aigars Mahinovs
Gabor Lekeny
Daniel Lamando
Mark Maglana
Carlo Lobrano