Commit Graph

77 Commits

Author SHA1 Message Date
Joel Speed
093f9da881
Move cipher creation to options and away from oauth2_proxy.go 2019-05-20 11:26:13 +02:00
Joel Speed
fbee5eae16
Initialise SessionStore in Options 2019-05-20 11:26:04 +02:00
Joel Speed
455e0004b8
Include SessionOptions in Options struct 2019-05-18 13:10:11 +02:00
Joel Speed
fd6655411b
Move cookie configuration to separate package 2019-05-18 13:09:59 +02:00
Mister Wil
88c518885c
Merge branch 'master' into enhanced_logging 2019-04-16 06:53:45 -07:00
timothy-spencer
1ae62a3343
added jwt-key-file option, update docs 2019-04-15 09:49:05 -07:00
MisterWil
40ba565975 Requested changes 2019-04-12 09:48:21 -07:00
MisterWil
d77119be55 Merging changes 2019-04-12 09:26:44 -07:00
MisterWil
8ec025f536 Auth and standard logging with file rolling 2019-04-12 08:59:46 -07:00
Costel Moraru
071d17b521 Expose -cookie-path as configuration parameter 2019-04-10 00:36:35 +03:00
timothy-spencer
3476daf322
added an option to enable GCP healthcheck endpoints 2019-03-20 14:29:44 -07:00
Tim Spencer
8cc5fbf859 add login.gov provider (#55)
* first stab at login.gov provider

* fixing bugs now that I think I understand things better

* fixing up dependencies

* remove some debug stuff

* Fixing all dependencies to point at my fork

* forgot to hit save on the github rehome here

* adding options for setting keys and so on, use JWT workflow instead of PKCE

* forgot comma

* was too aggressive with search/replace

* need JWTKey to be byte array

* removed custom refresh stuff

* do our own custom jwt claim and store it in the normal session store

* golang json types are strange

* I have much to learn about golang

* fix time and signing key

* add http lib

* fixed claims up since we don't need custom claims

* add libs

* forgot ioutil

* forgot ioutil

* moved back to pusher location

* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov

* update dependencies

* do JWTs properly

* finished oidc flow, fixed up tests to work better

* updated comments, added test that we set expiresOn properly

* got confused with header and post vs get

* clean up debug and test dir

* add login.gov to README, remove references to my repo

* forgot to remove un-needed code

* can use sample_key* instead of generating your own

* updated changelog

* apparently golint wants comments like this

* linter wants non-standard libs in a separate grouping

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback

* github doesn't seem to do gofmt when merging.  :-)

* update CODEOWNERS

* check the nonce

* validate the JWT fully

* forgot to add pubjwk-url to README

* unexport the struct

* fix up the err masking that travis found

* update nonce comment by request of @JoelSpeed

* argh.  Thought I'd formatted the merge properly, but apparently not.

* fixed test to not fail if the query time was greater than zero
2019-03-20 13:44:51 +00:00
Adam Szalkowski
c7193b4085 Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com> 2019-03-11 14:05:16 +01:00
Marcel D. Juhnke
8816a2a972 Add -skip-oidc-discovery option (#41)
* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added --skip-oidc-discovery option

* added --skip-oidc-discovery option

* add simple test for skip-oidc-discovery option

* revert Dockerfile to pusher upstream

* revert Dockerfile to pusher upstream

* remove karrieretutor b2c option leftover

* remove karrieretutor b2c option leftover

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* replace fake http client with NewProvider() from go-oidc

* remove OIDC UserInfo URL option (not required)

* add info about -skip-oidc-discovery to README

* add note to changelog

* Update outdated comment
2019-03-04 13:54:22 +00:00
Joel Speed
fa2545636b
Merge pull request #15 from pusher/whitelist-domains
Whitelist domains
2019-02-02 18:55:37 +00:00
Steve Arch
01c5f5ae3b Implemented flushing interval (#23)
* Implemented flushing interval

When proxying streaming responses, it would not flush the response writer buffer until some seemingly random point (maybe the number of bytes?). This makes it flush every 1 second by default, but with a configurable interval.

* flushing CHANGELOG

* gofmt and goimports
2019-01-31 14:02:15 +00:00
Joel Speed
52b50a49ed
Add env option 2019-01-30 17:30:50 +00:00
Joel Speed
2a1691a994
Add whitelist domains flag 2019-01-30 17:30:40 +00:00
Joel Speed
68d4164897
Add Authorization header flags 2019-01-22 11:34:23 +00:00
Joel Speed
ee913fb788
Add comments to exported methods for root package 2018-12-20 09:30:42 +00:00
Joel Speed
8ee802d4e5
Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00
Joel Speed
847cf25228
Move imports from bitly to pusher 2018-11-27 11:45:05 +00:00
Tanvir Alam
faff555c55
Merge pull request #423 from Jimdo/configure_accesslog_format
Make Request Logging Format Configurable
2017-12-04 12:56:54 -05:00
Paul Seiffert
9341dcbf79 Make request logging format configurable 2017-12-04 12:52:47 -05:00
Dave Nicponski
e955d2be0e options: update options parsing for better handling of incorrect values
* don't add in failed compiled regexes for skip auth regex option
* improve test coverage for skip auth regex option to handle partial
success case
* add tests for incorrect upstream options parsing errors
2017-11-20 11:37:53 -05:00
Mike Bland
e241fe86d3
Switch from 18F/hmacauth to mbland/hmacauth
Since I'm no longer with 18F, I've re-released hmacauth under the ISC
license as opposed to the previous CC0 license. There have been no
changes to the hmacauth code itself, and all tests still pass.
2017-11-07 07:55:24 -05:00
Jehiah Czebotar
e87c3eee13 Merge pull request #389 from ericchiang/oidc-provider
*: add an OpenID Connect provider
2017-09-09 20:44:59 -04:00
Eric Chiang
cb48577ede *: add an OpenID Connect provider
See the README for usage with Dex or any other OIDC provider.

To test run a backend:

    python3 -m http.server

Run dex and modify the example config with the proxy callback:

    go get github.com/coreos/dex/cmd/dex
    cd $GOPATH/src/github.com/coreos/dex
    sed -i.bak \
      's|http://127.0.0.1:5555/callback|http://127.0.0.1:5555/oauth2/callback|g' \
       examples/config-dev.yaml
    make
    ./bin/dex serve examples/config-dev.yaml

Then run the oauth2_proxy

    oauth2_proxy \
      --oidc-issuer-url http://127.0.0.1:5556/dex \
      --upstream http://localhost:8000 \
      --client-id example-app \
      --client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \
      --cookie-secret foo \
      --email-domain '*' \
      --http-address http://127.0.0.1:5555 \
      --redirect-url http://127.0.0.1:5555/oauth2/callback \
      --cookie-secure=false

Login with the username/password "admin@example.com:password"
2017-09-08 09:32:51 -07:00
Jehiah Czebotar
23cef89236 Merge pull request #431 from ploxiln/nil_upstream_url
gracefully report un-parsed upstream URL
2017-08-28 20:46:30 -04:00
Pierce Lopez
3d8b59ef71 options: wrap missing-email-validation error message 2017-08-05 12:55:42 -04:00
Pierce Lopez
e9bbecface options: gracefully report un-parsed upstream URL
upstreamURL is a nil pointer if there is an error parsing --upstream
2017-08-05 12:55:15 -04:00
Christian Svensson
0b117133b9 Remove check for >0 upstreams
When used solely for auth_request there is no upstream.
Instead of forcing users to set a dummy upstream, remove
the check.
2017-07-20 21:54:31 +02:00
idntfy
1e7d2a08a3 #369: Optionally allow skipping authentication for preflight requests 2017-04-07 15:01:47 +03:00
Lukasz Siudut
829b442302 add --set-xauthrequest flag for use in Nginx auth_request mode
This is enhancement of #173 to use "Auth Request" consistently in
the command-line option, configuration file and response headers.
It always sets the X-Auth-Request-User response header and if the
email is available, sets X-Auth-Request-Email as well.
2017-03-29 21:28:55 +05:30
Jehiah Czebotar
dcf62d06df option for skipping OAuth provider SSL verification 2017-03-29 10:57:07 -04:00
Jehiah Czebotar
c5fc7baa86 gofmt 2017-03-29 09:36:38 -04:00
Omar Elazhary
24f91a0b60 Allow to pass user headers only (issue #205)
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
2017-01-24 11:11:58 +01:00
tanuck
c015075996 Validate cookie name (#278)
Validate cookie name passes go's isCookieNameValid check
2016-07-19 15:51:25 -04:00
Jehiah Czebotar
cdebfd6436
base64 cookie support 2016-06-20 07:45:43 -04:00
Jehiah Czebotar
57f82ed71e
Custom footer text (optional)
Closes #256 and #166
2016-06-18 23:54:32 -04:00
Jehiah Czebotar
168cff9d4b Merge pull request #161 from rahdjoudj/master
adding option to skip provider button sign_in page
2016-06-18 23:31:39 -04:00
Mike Bland
87d80d6d22 OAUTH2_PROXY_SIGNATURE_KEY env var, README update 2016-02-24 08:23:31 -05:00
Eelco Cramer
10f47e325b Add Azure Provider 2016-01-20 03:57:17 -05:00
Mike Bland
e4626c1360 Sign Upstream requests with HMAC. closes #147 2015-11-15 22:09:30 -05:00
Reda Ahdjoudj
35547a40cb adding option to skip provider button sign_in page 2015-11-11 11:42:35 +11:00
Brandon Philips
51a2e4e48c *: rename Url to URL everywhere
Go coding style says that acronyms should be all lower or all upper. Fix
Url to URL.
2015-11-09 00:47:44 +01:00
Justin Burnham
3fd8f911c2 google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
Ed Bardsley
33045a792b Add a flag to set the value of "approval_prompt".
By setting this to "force", certain providers, like Google,
will interject an additional prompt on every new session. With other values,
like "auto", this prompt is not forced upon the user.
2015-07-31 00:43:47 -07:00
Jehiah Czebotar
1e48d89e00 clarify required email validation settings 2015-07-24 16:09:33 -04:00
Justin Burnham
7dd5d299e1 Add support for setting the basic auth password.
For tools that don't like empty passwords, this change allows
one to set a shared secret password for all users.
2015-07-24 09:17:43 +00:00