Use simple USER directive.
Using `addgroup` in final `arm` image when building on amd64 doesn't work.
I must have made a mistake during cross build verification.
Alternative is to use qemu-static but it's not worth it for this.
* Use encoding/json for SessionState serialization
In order to make it easier to extend in future.
* Store only email and user in cookie when cipher is unavailable
This improves safety and robustness, and also preserves the existing
behaviour.
* Add TestEncodeSessionState/TestDecodeSessionState
Use the test vectors with JSON encoding just introduced.
* Support session state encoding in older versions
* Add test cases for legacy session state strings
* Add check for wrong expiration time in session state strings
* Avoid exposing time.Time zero value when encoding session state string
* Update CHANGELOG.md
* first stab at login.gov provider
* fixing bugs now that I think I understand things better
* fixing up dependencies
* remove some debug stuff
* Fixing all dependencies to point at my fork
* forgot to hit save on the github rehome here
* adding options for setting keys and so on, use JWT workflow instead of PKCE
* forgot comma
* was too aggressive with search/replace
* need JWTKey to be byte array
* removed custom refresh stuff
* do our own custom jwt claim and store it in the normal session store
* golang json types are strange
* I have much to learn about golang
* fix time and signing key
* add http lib
* fixed claims up since we don't need custom claims
* add libs
* forgot ioutil
* forgot ioutil
* moved back to pusher location
* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov
* update dependencies
* do JWTs properly
* finished oidc flow, fixed up tests to work better
* updated comments, added test that we set expiresOn properly
* got confused with header and post vs get
* clean up debug and test dir
* add login.gov to README, remove references to my repo
* forgot to remove un-needed code
* can use sample_key* instead of generating your own
* updated changelog
* apparently golint wants comments like this
* linter wants non-standard libs in a separate grouping
* Update options.go
Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>
* Update options.go
Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>
* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback
* github doesn't seem to do gofmt when merging. :-)
* update CODEOWNERS
* check the nonce
* validate the JWT fully
* forgot to add pubjwk-url to README
* unexport the struct
* fix up the err masking that travis found
* update nonce comment by request of @JoelSpeed
* argh. Thought I'd formatted the merge properly, but apparently not.
* fixed test to not fail if the query time was greater than zero
* fixes deletion of splitted cookies
* three minor adjustments to improve the tests
* changed cookie name matching to regex
* Update oauthproxy.go
Co-Authored-By: einfachchr <einfachchr@gmail.com>
* removed unused variable
* Changelog
* Added conditional to prevent user-supplied redirect URL getting
clobbered
Change-type: patch
* use redirectURL as OAuthCallbackURL (as it should be!)
Change-type: patch
Run as non-root user and group
In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.
Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.
Least access privileges.
Close: https://github.com/pusher/oauth2_proxy/issues/78
Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000 25192 6.0 0.0 0 0 ? Ds 15:53 0:00 [oauth2_proxy]
```
Running in Kubernetes 1.13 with the following also specified:
```
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID USER TIME COMMAND
1 10001 0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
11 10001 0:00 sh
17 10001 0:00 ps aux
```
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
* Access token forwarding through nginx auth request
Related to #420.
(cherry picked from commit b138872bea)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>
* Improved documentation for auth request token
(cherry picked from commit 6fab314f72)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>
* Update README.md
Example should set header as `X-Access-Token`
Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>
* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68
* Fix Changelog message location
* Implemented flushing interval
When proxying streaming responses, it would not flush the response writer buffer until some seemingly random point (maybe the number of bytes?). This makes it flush every 1 second by default, but with a configurable interval.
* flushing CHANGELOG
* gofmt and goimports
