Commit Graph

672 Commits

Author SHA1 Message Date
Jehiah Czebotar
3c51c914ac Merge pull request #405 from bspaans/patch-1
Update Google Auth Provider instructions
2017-06-21 09:24:24 -04:00
Bart Spaans
7fea71a4ce Update Google Auth Provider instructions 2017-06-21 11:03:24 +01:00
Jehiah Czebotar
cddd2fcd7c Merge pull request #402 from shividhar/master
Fix spelling mistake in docs
2017-06-09 12:23:50 -04:00
Shivansh Dhar
c8c6b66465 Fix spelling mistake in docs 2017-06-09 12:17:24 -04:00
Jehiah Czebotar
6d6cb7e1f8 Merge pull request #392 from arnottcr/master
[github provider] use Authorization header, not access_token query parameter
2017-05-26 08:42:07 -04:00
Colin Arnott
17b1fa31dd
use Authorization header, not access_token query parameter 2017-05-18 03:45:34 +00:00
Jehiah Czebotar
f4c356637f Merge pull request #382 from ploxiln/auth_request_readme
README: nginx auth_request example updates
2017-05-15 20:50:28 -04:00
Pierce Lopez
6d295f8446 README: nginx auth_request example refresh cookie handling
how to pass back the refreshed oauth2_proxy cookie from an nginx auth_request
2017-04-24 17:59:21 -04:00
Pierce Lopez
7f5672b433 README: simplify nginx auth_request example
/oauth2/auth is not more sensitive than other /oauth2/ paths,
does not need "internal" protection

"spdy" protocol is obsolete, http2 is the thing to enable now.
But it's orthogonal anyway.

No need for two separate content/upstream location blocks in
this example, reduce to just one, with a comment that it could
be serving files instead of proxying.
2017-04-24 17:56:15 -04:00
Jehiah Czebotar
ea2540bc89 Merge pull request #381 from ploxiln/dist_strip
dist.sh: use go build option to strip binaries
2017-04-24 16:34:22 -04:00
Pierce Lopez
68e3178812 dist.sh: use go build option to strip binaries
30% release binary size reduction
2017-04-24 16:04:36 -04:00
Pierce Lopez
d7e327d712 bump to version 2.2.1-alpha for development 2017-04-24 16:04:06 -04:00
Reed Loden
b6bd878f27 Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies
if the `__Host-` prefix is used
(https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2).

There's no need to set it to the host by default, so make it optional. If it is
set to a non-empty value, still output a warning if it is not a suffix of the
host, as that's likely not wanted.

Fixes #352.
2017-04-24 13:03:40 -07:00
Jehiah Czebotar
b90a23473f Merge pull request #380 from jehiah/release_380
Release v2.2
2017-04-24 12:22:11 -04:00
Jehiah Czebotar
f457a9042a Readme: update --help usage 2017-04-24 12:16:16 -04:00
Jehiah Czebotar
3fa5635d6c
Release 2.2.0 2017-04-24 12:11:23 -04:00
Jehiah Czebotar
f511cac6a6 Merge pull request #365 from travisofthenorth/fix/default-http-address
Fix url parse error
2017-04-20 14:57:39 -04:00
Jehiah Czebotar
120a47a526 Merge pull request #370 from idntfy/master
#369: Optionally allow skipping authentication for preflight requests
2017-04-07 09:20:33 -04:00
idntfy
1e7d2a08a3 #369: Optionally allow skipping authentication for preflight requests 2017-04-07 15:01:47 +03:00
Travis Hunter
f983933d88
Parse http address without url 2017-04-02 16:23:27 -04:00
Jehiah Czebotar
af7be2d622 Merge pull request #319 from advarisk/auth-request
various fixes for getting Nginx auth_request mode working
2017-03-29 12:14:24 -04:00
Ashish Kulkarni
fe44b89f57 update documentation for Nginx auth_request mode 2017-03-29 21:28:55 +05:30
Sjoerd Mulder
90a22b2f39 Use X-Auth-Request-Redirect request header in sign-in page
This is useful in Nginx auth_request mode, if a 401 handler is
configured to redirect to the sign-in page. As the request URL
does not reflect the actual URL, the value is taken from the
header "X-Auth-Request-Redirect" instead. Based on #247
2017-03-29 21:28:55 +05:30
Lukasz Siudut
829b442302 add --set-xauthrequest flag for use in Nginx auth_request mode
This is enhancement of #173 to use "Auth Request" consistently in
the command-line option, configuration file and response headers.
It always sets the X-Auth-Request-User response header and if the
email is available, sets X-Auth-Request-Email as well.
2017-03-29 21:28:55 +05:30
Jehiah Czebotar
93852a24cb Merge pull request #362 from jehiah/ssl_insecure_skip_verify_362
Option to skip SSL verification
2017-03-29 11:02:26 -04:00
Jehiah Czebotar
dcf62d06df option for skipping OAuth provider SSL verification 2017-03-29 10:57:07 -04:00
Jehiah Czebotar
bb9b607440 Merge pull request #361 from jehiah/gofmt_361
travis: run gofmt and go vet
2017-03-29 09:53:19 -04:00
Jehiah Czebotar
c5fc7baa86 gofmt 2017-03-29 09:36:38 -04:00
Jehiah Czebotar
c1116ea506 travis: run gofmt and go vet 2017-03-29 09:36:23 -04:00
Jehiah Czebotar
4464655276 Merge pull request #360 from jehiah/csrf_validation_360
CSRF protection for OAuth flow.
2017-03-29 09:36:04 -04:00
Colin Arnott
55085d9697 csrf protection; always set state 2017-03-29 09:31:10 -04:00
Jehiah Czebotar
6c690b699b Merge pull request #339 from omazhary/issue-205
Allow to pass user headers only
2017-03-28 21:42:29 -04:00
Jehiah Czebotar
107b4811b4 Merge pull request #346 from bdwyertech/patch-1
Oversize Cookie Alert
2017-03-28 21:40:11 -04:00
Jehiah Czebotar
cd0d13e3fb Merge pull request #357 from wrapp/skip-group-lookup-404
Skip 404 errors when looking up Google groups
2017-03-28 21:38:55 -04:00
Jehiah Czebotar
86d083266b Merge pull request #359 from jehiah/redirect_check_359
Improve redirect checks
2017-03-28 21:34:23 -04:00
Colin Arnott
289a6ccf46 add check for //.* to prevent open redirect during oauth 2017-03-28 21:12:33 -04:00
Eskil Andreen
652f43ed38 Skip 404 errors when looking up Google groups
When checking user membership against Google groups the groups are checked one
at a time and in the order that they were supplied. If one of the groups does
not exist then the checking is halted with the following error.

google.go:201: googleapi: Error 404: Resource Not Found: groupKey, notFound

None of the groups following the missing group are checked either. This means
that something as trivial as a typo in the first group will make it impossible
for anybody to login.

This change catches the 404, logs a message, and then carries on as usual. In
this way a typo will cause a particular group to stop working but will not
affect any other groups.
2017-03-28 16:06:15 +02:00
Jehiah Czebotar
712739f777 Merge pull request #356 from jehiah/bump_dependencies_356
Update vendored dependencies.
2017-03-27 21:07:08 -04:00
Jehiah Czebotar
2ebab604eb bump golang.org/x/... and google.golang.org dependencies 2017-03-27 20:56:15 -04:00
Jehiah Czebotar
b884b36f26 bump easy pkg upgrades; drop Go 1.6 (no httptest.NewRequest)
This fixes a test w request signing due to a content-length:0 header from Go 1.8
2017-03-27 20:36:35 -04:00
Jehiah Czebotar
951b5f325b Merge pull request #355 from ploxiln/dist_updates
dist.sh and Godeps updates
2017-03-27 20:16:44 -04:00
Pierce Lopez
9167c8ace8 travis: update go versions, gpm version 2017-03-27 19:40:12 -04:00
Pierce Lopez
a2eeec2b7a Godeps: remove redundant dep, add missing
golang.org/x/oauth2/google is same repo as golang.org/x/oauth2
  - this sometimes confused gpm/git

cloud.google.com/go/compute/metadata is a missing dependency
of golang.org/x/oauth2
2017-03-27 19:17:42 -04:00
Pierce Lopez
2024dc34ac dist.sh: run gpm with GOPATH=$DIR/.godeps
so gpm is not affected if module exists in user's GOPATH already
2017-03-27 19:13:05 -04:00
Pierce Lopez
86c9638572 dist.sh: already uses set "-e", remove "|| exit 1" 2017-03-27 18:16:39 -04:00
Jehiah Czebotar
7d920c98a6 Merge pull request #354 from ploxiln/dist_win_exe
dist.sh: add .exe for windows build
2017-03-27 14:49:40 -04:00
Pierce Lopez
bc3fe00be4 dist.sh: add .exe for windows build 2017-03-27 14:35:28 -04:00
Jehiah Czebotar
87847316d4 Merge pull request #349 from braincube-io/signout
[signout] Implement logout endpoint
2017-03-22 23:08:47 -04:00
Guillaume Bienkowski
562cc2e466 [signout] Implement logout endpoint 2017-03-21 17:40:47 +01:00
Brian Dwyer
3379e05fec Oversize Cookie Alert
Cookies cannot be larger than 4kb
2017-02-23 18:48:34 -05:00