Commit Graph

780 Commits

Author SHA1 Message Date
Ben
66c5eb3174 Small clarification around health checks (#84)
Type: docs
I simply added the word health check. I was searching all over the
package for a health check, to only realise that it had been called
ping. I think the small addition might help others avoid my troubles.
2019-03-05 14:09:30 +00:00
Gabor Lekeny
eacba4ec7d Add id_token refresh to Google provider (#83) 2019-03-05 14:07:10 +00:00
Karl Skewes
80b5873a26 Potentially breaking change: docker user & group
Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.

Least access privileges.
Close: https://github.com/pusher/oauth2_proxy/issues/78

Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]
```

Running in Kubernetes 1.13 with the following also specified:
```
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
```

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->

- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
2019-03-05 21:37:04 +13:00
Marcel D. Juhnke
8816a2a972 Add -skip-oidc-discovery option (#41)
* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added --skip-oidc-discovery option

* added --skip-oidc-discovery option

* add simple test for skip-oidc-discovery option

* revert Dockerfile to pusher upstream

* revert Dockerfile to pusher upstream

* remove karrieretutor b2c option leftover

* remove karrieretutor b2c option leftover

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* replace fake http client with NewProvider() from go-oidc

* remove OIDC UserInfo URL option (not required)

* add info about -skip-oidc-discovery to README

* add note to changelog

* Update outdated comment
2019-03-04 13:54:22 +00:00
MisterWil
2ca2c48bd9 Added list of variables for logging formats. 2019-02-26 08:53:41 -08:00
MisterWil
45742d326d Merge remote-tracking branch 'origin/master' into enhanced_logging 2019-02-26 08:27:06 -08:00
Mathias Söderberg
fb1614c873
Merge pull request #76 from simplesurance/improve_configure_gopath
build: fix: configure fails if GOPATH environment variable not set
2019-02-25 10:17:48 +00:00
Fabian Holler
1c16c2c055 build: fix: configure fails if GOPATH environment variable not set
If the GOPATH enviroment variable was not set, go uses the default
GOPATH (~/go/).

The configure script was only checking if the GOPATH environment
is set. If it wasn't the script was failing.

Instead of checking if the GOPATH environment variable is set, check if
"go env GOPATH" returns a non-emtpy string.
2019-02-25 10:48:19 +01:00
David Holsgrove
2280b42f59 Access token forwarding through nginx auth request (#68)
* Access token forwarding through nginx auth request

Related to #420.

(cherry picked from commit b138872bea)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Improved documentation for auth request token

(cherry picked from commit 6fab314f72)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Update README.md

Example should set header as `X-Access-Token`

Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>

* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68

* Fix Changelog message location
2019-02-22 07:49:57 +00:00
Martin Loetzsch
8d73740425 Remove backslashes from azure configuration example 2019-02-19 14:59:13 +01:00
Joel Speed
c83335324e
Merge pull request #59 from aslafy-z/patch-1
Add oidc-issuer-url arg to README
2019-02-17 11:56:05 +00:00
MisterWil
398f85c30f Updated changelog 2019-02-15 10:29:24 -08:00
MisterWil
8a2dc3c51d Merge remote-tracking branch 'origin/master' into enhanced_logging 2019-02-15 10:14:18 -08:00
MisterWil
b8da1dec4a Fixed linting errors. 2019-02-15 10:07:25 -08:00
Zadkiel
da7d340519
Reorder arg line 2019-02-13 16:36:45 +01:00
Zadkiel
7404195c6e
Add oidc-issuer-url arg to README 2019-02-13 16:34:46 +01:00
MisterWil
2e5c877dd1 Self code review changes 2019-02-10 09:01:13 -08:00
MisterWil
b46e34be72 Auth and standard logging with file rolling 2019-02-10 08:37:45 -08:00
Joel Speed
ec4444fa3b
Merge pull request #50 from pusher/release-v3.1.0
Update release notes for v3.1.0
2019-02-09 10:13:09 +00:00
Joel Speed
09c6bd77ed
Add note on changed flush-interval behaviour 2019-02-08 14:16:41 +00:00
Joel Speed
5b95ed3552
Update release notes for v3.1.0 2019-02-08 11:57:17 +00:00
Joel Speed
402ce6f0cb
Merge pull request #39 from pusher/arm-quay
Add Quay links to ARM repositories
2019-02-08 11:07:58 +00:00
Joel Speed
bdf68cc5f0
Remove --long from git describe 2019-02-08 10:10:52 +00:00
Joel Speed
b7fd0a1b7e
Add push target to Makefile 2019-02-08 10:07:02 +00:00
Martin Loetzsch
2ca5de9d44 update Readme for Azure Active Directory 2019-02-06 23:07:53 +01:00
Joel Speed
dd9781ddfe
Merge pull request #43 from rafaelmagu/gzip-binary-archives
Ensure binary archives are gzipped
2019-02-06 21:31:20 +00:00
Rafael Fonseca
2bfcb4ca22
Ensure binary archives are gzipped 2019-02-07 09:59:19 +13:00
Joel Speed
92c4424639
Merge pull request #37 from kskewes/dockerarm
feat(arm): Cross build arm and arm64 docker images
2019-02-04 10:36:40 +00:00
Joel Speed
fb13ee87c8
Merge pull request #34 from marratj/cookie-separator
Change cookie index separator to underscore
2019-02-03 13:21:51 +00:00
Joel Speed
fa2545636b
Merge pull request #15 from pusher/whitelist-domains
Whitelist domains
2019-02-02 18:55:37 +00:00
Marcel D. Juhnke
72d4c49be0 remove duplicate lines 2019-02-02 15:00:10 +01:00
Joel Speed
cd37a14fc0
Added more context as suggested by JoelSpeed.
Co-Authored-By: marratj <marrat@marrat.de>
2019-02-02 12:47:21 +01:00
Karl Skewes
f289543dc6 fix(docker): simplify build by copying ca-certificates.crt 2019-02-02 20:01:27 +13:00
Karl Skewes
90e6bd278e feat(arm): Cross build arm and arm64 docker images
- Requires `qemu-user-static`, added to travis - maybe incorrect?
- Add build guide
- `.gitignore` `release/` directory
2019-02-02 13:25:20 +13:00
Marcel Juhnke
c574346086 add nginx cookie part extraction to README 2019-02-01 18:10:44 +01:00
Joel Speed
c6d2126dcc
Merge pull request #35 from kskewes/build
feat(arm): Makefile add armv6 and arm64 to releases
2019-01-31 20:29:45 +00:00
Karl Skewes
2bdf00a692 feat(arm): Makefile add armv6 and arm64 to releases 2019-02-01 08:30:50 +13:00
Marcel Juhnke
a339baf94e change cookie index separator to underscore 2019-01-31 20:07:28 +01:00
Joel Speed
b5b0633e0b
Merge pull request #32 from ccojocar/ajax_401
Returns HTTP unauthorized for ajax requests instead of redirecting to the sign-in page
2019-01-31 15:56:26 +00:00
Cosmin Cojocar
3326194422 Extract the application/json mime type into a const 2019-01-31 16:23:01 +01:00
Cosmin Cojocar
c12db0ebf7 Returns HTTP unauthorized for ajax requests instead of redirecting to the sing-in page 2019-01-31 16:23:01 +01:00
Steve Arch
01c5f5ae3b Implemented flushing interval (#23)
* Implemented flushing interval

When proxying streaming responses, it would not flush the response writer buffer until some seemingly random point (maybe the number of bytes?). This makes it flush every 1 second by default, but with a configurable interval.

* flushing CHANGELOG

* gofmt and goimports
2019-01-31 14:02:15 +00:00
Joel Speed
787d3da9d2
Merge pull request #33 from adamdecaf/watcher-break
watcher: properly break out in nested blocks
2019-01-31 09:54:17 +00:00
Adam Shannon
6a775b97c9 watcher: properly break out in nested blocks
Found via staticcheck:

watcher.go:48:5: ineffective break statement. Did you mean to break out of the outer loop? (SA4011)
2019-01-30 18:54:27 -06:00
Joel Speed
987b25fae7
Add whitelist domain to changelog 2019-01-30 17:31:30 +00:00
Joel Speed
52b50a49ed
Add env option 2019-01-30 17:30:50 +00:00
Joel Speed
9007d66559
Test explicit subdomain whitelisting 2019-01-30 17:30:49 +00:00
Joel Speed
81f77a55de
Add note on subdomain behaviour 2019-01-30 17:30:48 +00:00
Joel Speed
bc4d5941fc
Remove duplicated logic 2019-01-30 17:30:48 +00:00
Joel Speed
fd875fc663
Make option name singular 2019-01-30 17:30:47 +00:00