Commit Graph

123 Commits

Author SHA1 Message Date
einfachchr
f715c9371b Fixes deletion of splitted cookies - Issue #69 (#70)
* fixes deletion of splitted cookies

* three minor adjustments to improve the tests

* changed cookie name matching to regex

* Update oauthproxy.go

Co-Authored-By: einfachchr <einfachchr@gmail.com>

* removed unused variable

* Changelog
2019-03-15 07:18:37 +00:00
Joel Speed
e195a74e26
Revert OAuthCallbackPath 2019-03-12 16:46:37 +00:00
Adam Szalkowski
c7193b4085 Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com> 2019-03-11 14:05:16 +01:00
dt-rush
549766666e fix redirect url param handling (#10)
* Added conditional to prevent user-supplied redirect URL getting
clobbered

Change-type: patch

* use redirectURL as OAuthCallbackURL (as it should be!)

Change-type: patch
2019-03-05 14:58:26 +00:00
David Holsgrove
2280b42f59 Access token forwarding through nginx auth request (#68)
* Access token forwarding through nginx auth request

Related to #420.

(cherry picked from commit b138872bea)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Improved documentation for auth request token

(cherry picked from commit 6fab314f72)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Update README.md

Example should set header as `X-Access-Token`

Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>

* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68

* Fix Changelog message location
2019-02-22 07:49:57 +00:00
Joel Speed
fb13ee87c8
Merge pull request #34 from marratj/cookie-separator
Change cookie index separator to underscore
2019-02-03 13:21:51 +00:00
Joel Speed
fa2545636b
Merge pull request #15 from pusher/whitelist-domains
Whitelist domains
2019-02-02 18:55:37 +00:00
Marcel Juhnke
a339baf94e change cookie index separator to underscore 2019-01-31 20:07:28 +01:00
Cosmin Cojocar
3326194422 Extract the application/json mime type into a const 2019-01-31 16:23:01 +01:00
Cosmin Cojocar
c12db0ebf7 Returns HTTP unauthorized for ajax requests instead of redirecting to the sing-in page 2019-01-31 16:23:01 +01:00
Steve Arch
01c5f5ae3b Implemented flushing interval (#23)
* Implemented flushing interval

When proxying streaming responses, it would not flush the response writer buffer until some seemingly random point (maybe the number of bytes?). This makes it flush every 1 second by default, but with a configurable interval.

* flushing CHANGELOG

* gofmt and goimports
2019-01-31 14:02:15 +00:00
Joel Speed
bc4d5941fc
Remove duplicated logic 2019-01-30 17:30:48 +00:00
Joel Speed
2a1691a994
Add whitelist domains flag 2019-01-30 17:30:40 +00:00
Steve Arch
090ff11923 redirect to original path after login (#24)
* redirect to original path after login

* tests for new redirect behaviour

* fixed comment

* added redirect fix to changelog
2019-01-29 12:13:02 +00:00
Joel Speed
714e2bdfba
Fix cookie split should account for cookie name 2019-01-22 11:34:55 +00:00
Joel Speed
d4b588dbe9
Split large cookies 2019-01-22 11:34:54 +00:00
Joel Speed
68d4164897
Add Authorization header flags 2019-01-22 11:34:23 +00:00
Joel Speed
d37cc2889e
Fix err declaration shadowing 2018-12-20 10:46:19 +00:00
Joel Speed
ee913fb788
Add comments to exported methods for root package 2018-12-20 09:30:42 +00:00
Joel Speed
8ee802d4e5
Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00
Joel Speed
847cf25228
Move imports from bitly to pusher 2018-11-27 11:45:05 +00:00
Pierce Lopez
74d0fbc868 more robust ClearSessionCookie()
default domain changed from request Host to blank, recently
try to clear cookies for both
2017-12-18 21:16:51 -05:00
Carlo Lobrano
731fa9f8e0 Github provider: use login as user
- Save both user and email in session state:
    Encoding/decoding methods save both email and user
    field in session state, for use cases when User is not derived from
    email's local-parth, like for GitHub provider.

    For retrocompatibility, if no user is obtained by the provider,
    (e.g. User is an empty string) the encoding/decoding methods fall back
    to the previous behavior and use the email's local-part

    Updated also related tests and added two more tests to show behavior
    when session contains a non-empty user value.

- Added first basic GitHub provider tests

- Added GetUserName method to Provider interface
    The new GetUserName method is intended to return the User
    value when this is not the email's local-part.

    Added also the default implementation to provider_default.go

- Added call to GetUserName in redeemCode

    the new GetUserName method is used in redeemCode
    to get SessionState User value.

    For backward compatibility, if GetUserName error is
    "not implemented", the error is ignored.

- Added GetUserName method and tests to github provider.
2017-11-20 20:02:27 +01:00
Mike Bland
e241fe86d3
Switch from 18F/hmacauth to mbland/hmacauth
Since I'm no longer with 18F, I've re-released hmacauth under the ISC
license as opposed to the previous CC0 license. There have been no
changes to the hmacauth code itself, and all tests still pass.
2017-11-07 07:55:24 -05:00
Jehiah Czebotar
bfda078caa Merge pull request #376 from reedloden/make-cookie-domain-optional
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
2017-10-23 14:14:45 -04:00
Alan Braithwaite
b640a69d63 oauthproxy: fix #284 -skip-provider-button for /sign_in route 2017-06-21 15:05:36 -07:00
Reed Loden
b6bd878f27 Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies
if the `__Host-` prefix is used
(https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2).

There's no need to set it to the host by default, so make it optional. If it is
set to a non-empty value, still output a warning if it is not a suffix of the
host, as that's likely not wanted.

Fixes #352.
2017-04-24 13:03:40 -07:00
idntfy
1e7d2a08a3 #369: Optionally allow skipping authentication for preflight requests 2017-04-07 15:01:47 +03:00
Sjoerd Mulder
90a22b2f39 Use X-Auth-Request-Redirect request header in sign-in page
This is useful in Nginx auth_request mode, if a 401 handler is
configured to redirect to the sign-in page. As the request URL
does not reflect the actual URL, the value is taken from the
header "X-Auth-Request-Redirect" instead. Based on #247
2017-03-29 21:28:55 +05:30
Lukasz Siudut
829b442302 add --set-xauthrequest flag for use in Nginx auth_request mode
This is enhancement of #173 to use "Auth Request" consistently in
the command-line option, configuration file and response headers.
It always sets the X-Auth-Request-User response header and if the
email is available, sets X-Auth-Request-Email as well.
2017-03-29 21:28:55 +05:30
Jehiah Czebotar
c5fc7baa86 gofmt 2017-03-29 09:36:38 -04:00
Colin Arnott
55085d9697 csrf protection; always set state 2017-03-29 09:31:10 -04:00
Jehiah Czebotar
6c690b699b Merge pull request #339 from omazhary/issue-205
Allow to pass user headers only
2017-03-28 21:42:29 -04:00
Jehiah Czebotar
107b4811b4 Merge pull request #346 from bdwyertech/patch-1
Oversize Cookie Alert
2017-03-28 21:40:11 -04:00
Colin Arnott
289a6ccf46 add check for //.* to prevent open redirect during oauth 2017-03-28 21:12:33 -04:00
Guillaume Bienkowski
562cc2e466 [signout] Implement logout endpoint 2017-03-21 17:40:47 +01:00
Brian Dwyer
3379e05fec Oversize Cookie Alert
Cookies cannot be larger than 4kb
2017-02-23 18:48:34 -05:00
Omar Elazhary
24f91a0b60 Allow to pass user headers only (issue #205)
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
2017-01-24 11:11:58 +01:00
Jehiah Czebotar
cdebfd6436
base64 cookie support 2016-06-20 07:45:43 -04:00
Jehiah Czebotar
57f82ed71e
Custom footer text (optional)
Closes #256 and #166
2016-06-18 23:54:32 -04:00
Jehiah Czebotar
168cff9d4b Merge pull request #161 from rahdjoudj/master
adding option to skip provider button sign_in page
2016-06-18 23:31:39 -04:00
Pranay Kanwar
f957a1e435 Validate state param while redirecting 2016-01-19 13:14:16 +05:30
Mike Bland
e4626c1360 Sign Upstream requests with HMAC. closes #147 2015-11-15 22:09:30 -05:00
Reda Ahdjoudj
35547a40cb adding option to skip provider button sign_in page 2015-11-11 11:42:35 +11:00
Mike Bland
462f6d03d2 Extract Authenticate for Proxy, AuthenticateOnly 2015-11-09 10:32:16 -05:00
Mike Bland
e61fc9e7a6 Add /auth endpoint to support Nginx's auth_request
Closes #152.
2015-11-09 10:31:41 -05:00
Brandon Philips
6db18804f3 *: rename Oauth to OAuth
Be consistent with Go capitalization styling and use a single way of
spelling this across the tree.
2015-11-09 00:57:01 +01:00
Brandon Philips
1ff2fce25b oauthproxy: rename Uri to URI
Be consistent with Go coding style for acroynyms.
2015-11-09 00:50:42 +01:00
Brandon Philips
51a2e4e48c *: rename Url to URL everywhere
Go coding style says that acronyms should be all lower or all upper. Fix
Url to URL.
2015-11-09 00:47:44 +01:00
John Boxall
a653c3eeeb Pass ProxyPrefix into the error template.
The default `error.html` uses `ProxyPrefix` but it isn't supplied in the context, causing it to error.
2015-10-03 15:59:47 -07:00