Commit Graph

556 Commits

Author SHA1 Message Date
Joel Speed
a38b0dcec2
Merge pull request #112 from gyson/improve-websocket-support
Improve websocket support
2019-03-25 10:27:08 +00:00
gyson
b67614c90f Update CHANGELOG.md 2019-03-22 17:41:55 -04:00
gyson
978c0a33e4 Improve websocket support 2019-03-22 17:19:38 -04:00
timothy-spencer
e9f36fa4b5
added the PR to the changelog 2019-03-20 14:44:01 -07:00
timothy-spencer
2147ae8cfd
added gcp-healthchecks flag in readme, fixed link to logingov-provider 2019-03-20 14:38:06 -07:00
timothy-spencer
3476daf322
added an option to enable GCP healthcheck endpoints 2019-03-20 14:29:44 -07:00
Carlos Alexandro Becker
24f36f27a7
fix: check if it is both primary and verified 2019-03-20 13:52:30 -03:00
Carlos Alexandro Becker
95ee4358b2
Merge remote-tracking branch 'upstream/master' into verified 2019-03-20 13:46:04 -03:00
Joel Speed
ca89bb833d
Merge pull request #108 from pkoenig10/patch-1
Set redirect URL path when host is present
2019-03-20 16:41:09 +00:00
Patrick Koenig
6f9eac5190
Set redirect URL path when host is present 2019-03-20 09:25:04 -07:00
YAEGASHI Takeshi
2070fae47c Use encoding/json for SessionState serialization (#63)
* Use encoding/json for SessionState serialization

In order to make it easier to extend in future.

* Store only email and user in cookie when cipher is unavailable

This improves safety and robustness, and also preserves the existing
behaviour.

* Add TestEncodeSessionState/TestDecodeSessionState

Use the test vectors with JSON encoding just introduced.

* Support session state encoding in older versions

* Add test cases for legacy session state strings

* Add check for wrong expiration time in session state strings

* Avoid exposing time.Time zero value when encoding session state string

* Update CHANGELOG.md
2019-03-20 13:59:24 +00:00
Berjou
a656435d00 Implement Getter interface for StringArray (#104)
This commit fix the issue #98
2019-03-20 13:58:14 +00:00
Tim Spencer
8cc5fbf859 add login.gov provider (#55)
* first stab at login.gov provider

* fixing bugs now that I think I understand things better

* fixing up dependencies

* remove some debug stuff

* Fixing all dependencies to point at my fork

* forgot to hit save on the github rehome here

* adding options for setting keys and so on, use JWT workflow instead of PKCE

* forgot comma

* was too aggressive with search/replace

* need JWTKey to be byte array

* removed custom refresh stuff

* do our own custom jwt claim and store it in the normal session store

* golang json types are strange

* I have much to learn about golang

* fix time and signing key

* add http lib

* fixed claims up since we don't need custom claims

* add libs

* forgot ioutil

* forgot ioutil

* moved back to pusher location

* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov

* update dependencies

* do JWTs properly

* finished oidc flow, fixed up tests to work better

* updated comments, added test that we set expiresOn properly

* got confused with header and post vs get

* clean up debug and test dir

* add login.gov to README, remove references to my repo

* forgot to remove un-needed code

* can use sample_key* instead of generating your own

* updated changelog

* apparently golint wants comments like this

* linter wants non-standard libs in a separate grouping

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback

* github doesn't seem to do gofmt when merging.  :-)

* update CODEOWNERS

* check the nonce

* validate the JWT fully

* forgot to add pubjwk-url to README

* unexport the struct

* fix up the err masking that travis found

* update nonce comment by request of @JoelSpeed

* argh.  Thought I'd formatted the merge properly, but apparently not.

* fixed test to not fail if the query time was greater than zero
2019-03-20 13:44:51 +00:00
einfachchr
f715c9371b Fixes deletion of splitted cookies - Issue #69 (#70)
* fixes deletion of splitted cookies

* three minor adjustments to improve the tests

* changed cookie name matching to regex

* Update oauthproxy.go

Co-Authored-By: einfachchr <einfachchr@gmail.com>

* removed unused variable

* Changelog
2019-03-15 07:18:37 +00:00
Joel Speed
cfd1fd83bd
Merge pull request #101 from pusher/fix-callback-path
Revert OAuthCallbackPath
2019-03-12 17:33:24 +00:00
Joel Speed
e195a74e26
Revert OAuthCallbackPath 2019-03-12 16:46:37 +00:00
Carlos Alexandro Becker
58b8bbe491
fix: changelog 2019-03-11 14:55:02 -03:00
Carlos Alexandro Becker
b49aeb222b
fix: should check if email is verified 2019-03-11 14:52:08 -03:00
Joel Speed
056089bbcc
Merge pull request #92 from butzist/feature/wsproxy
Merge websocket proxy feature from openshift/oauth-proxy
2019-03-11 13:22:20 +00:00
Adam Szalkowski
c7193b4085 Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com> 2019-03-11 14:05:16 +01:00
Joel Speed
21c9d38ada
Merge pull request #57 from aigarius/patch-1
Fall back to using OIDC Subject instead of Email
2019-03-08 14:20:12 +00:00
Aigars Mahinovs
4e6593bc60 Update changelog for pull request #57 2019-03-08 13:41:15 +01:00
Aigars Mahinovs
7acec6243b Fall back to using OIDC Subject instead of Email
Email is not mandatory field, Subject is mandatory and expected to be unique. Might want to take a look at UserInfo first, however.

Issue: #56
2019-03-08 13:39:08 +01:00
Joel Speed
84d7c51bb6
Merge pull request #85 from kskewes/dockernoroot
Use non-root user in docker images
2019-03-05 20:32:39 +00:00
Joel Speed
bfccc1f261
Update CHANGELOG.md
Co-Authored-By: kskewes <karl.skewes@gmail.com>
2019-03-05 11:42:11 -08:00
dt-rush
549766666e fix redirect url param handling (#10)
* Added conditional to prevent user-supplied redirect URL getting
clobbered

Change-type: patch

* use redirectURL as OAuthCallbackURL (as it should be!)

Change-type: patch
2019-03-05 14:58:26 +00:00
Ben
66c5eb3174 Small clarification around health checks (#84)
Type: docs
I simply added the word health check. I was searching all over the
package for a health check, to only realise that it had been called
ping. I think the small addition might help others avoid my troubles.
2019-03-05 14:09:30 +00:00
Gabor Lekeny
eacba4ec7d Add id_token refresh to Google provider (#83) 2019-03-05 14:07:10 +00:00
Karl Skewes
80b5873a26 Potentially breaking change: docker user & group
Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.

Least access privileges.
Close: https://github.com/pusher/oauth2_proxy/issues/78

Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]
```

Running in Kubernetes 1.13 with the following also specified:
```
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
```

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->

- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
2019-03-05 21:37:04 +13:00
Marcel D. Juhnke
8816a2a972 Add -skip-oidc-discovery option (#41)
* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added --skip-oidc-discovery option

* added --skip-oidc-discovery option

* add simple test for skip-oidc-discovery option

* revert Dockerfile to pusher upstream

* revert Dockerfile to pusher upstream

* remove karrieretutor b2c option leftover

* remove karrieretutor b2c option leftover

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* replace fake http client with NewProvider() from go-oidc

* remove OIDC UserInfo URL option (not required)

* add info about -skip-oidc-discovery to README

* add note to changelog

* Update outdated comment
2019-03-04 13:54:22 +00:00
MisterWil
2ca2c48bd9 Added list of variables for logging formats. 2019-02-26 08:53:41 -08:00
MisterWil
45742d326d Merge remote-tracking branch 'origin/master' into enhanced_logging 2019-02-26 08:27:06 -08:00
Mathias Söderberg
fb1614c873
Merge pull request #76 from simplesurance/improve_configure_gopath
build: fix: configure fails if GOPATH environment variable not set
2019-02-25 10:17:48 +00:00
Fabian Holler
1c16c2c055 build: fix: configure fails if GOPATH environment variable not set
If the GOPATH enviroment variable was not set, go uses the default
GOPATH (~/go/).

The configure script was only checking if the GOPATH environment
is set. If it wasn't the script was failing.

Instead of checking if the GOPATH environment variable is set, check if
"go env GOPATH" returns a non-emtpy string.
2019-02-25 10:48:19 +01:00
David Holsgrove
2280b42f59 Access token forwarding through nginx auth request (#68)
* Access token forwarding through nginx auth request

Related to #420.

(cherry picked from commit b138872bea)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Improved documentation for auth request token

(cherry picked from commit 6fab314f72)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Update README.md

Example should set header as `X-Access-Token`

Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>

* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68

* Fix Changelog message location
2019-02-22 07:49:57 +00:00
Martin Loetzsch
8d73740425 Remove backslashes from azure configuration example 2019-02-19 14:59:13 +01:00
Joel Speed
c83335324e
Merge pull request #59 from aslafy-z/patch-1
Add oidc-issuer-url arg to README
2019-02-17 11:56:05 +00:00
MisterWil
398f85c30f Updated changelog 2019-02-15 10:29:24 -08:00
MisterWil
8a2dc3c51d Merge remote-tracking branch 'origin/master' into enhanced_logging 2019-02-15 10:14:18 -08:00
MisterWil
b8da1dec4a Fixed linting errors. 2019-02-15 10:07:25 -08:00
Zadkiel
da7d340519
Reorder arg line 2019-02-13 16:36:45 +01:00
Zadkiel
7404195c6e
Add oidc-issuer-url arg to README 2019-02-13 16:34:46 +01:00
MisterWil
2e5c877dd1 Self code review changes 2019-02-10 09:01:13 -08:00
MisterWil
b46e34be72 Auth and standard logging with file rolling 2019-02-10 08:37:45 -08:00
Joel Speed
ec4444fa3b
Merge pull request #50 from pusher/release-v3.1.0
Update release notes for v3.1.0
2019-02-09 10:13:09 +00:00
Joel Speed
09c6bd77ed
Add note on changed flush-interval behaviour 2019-02-08 14:16:41 +00:00
Joel Speed
5b95ed3552
Update release notes for v3.1.0 2019-02-08 11:57:17 +00:00
Joel Speed
402ce6f0cb
Merge pull request #39 from pusher/arm-quay
Add Quay links to ARM repositories
2019-02-08 11:07:58 +00:00
Joel Speed
bdf68cc5f0
Remove --long from git describe 2019-02-08 10:10:52 +00:00
Joel Speed
b7fd0a1b7e
Add push target to Makefile 2019-02-08 10:07:02 +00:00