Commit Graph

121 Commits

Author SHA1 Message Date
daB0bby
9660839667
fixes typo in set-authorization-header 2019-03-26 16:49:04 +01:00
Tim Spencer
8cc5fbf859 add login.gov provider (#55)
* first stab at login.gov provider

* fixing bugs now that I think I understand things better

* fixing up dependencies

* remove some debug stuff

* Fixing all dependencies to point at my fork

* forgot to hit save on the github rehome here

* adding options for setting keys and so on, use JWT workflow instead of PKCE

* forgot comma

* was too aggressive with search/replace

* need JWTKey to be byte array

* removed custom refresh stuff

* do our own custom jwt claim and store it in the normal session store

* golang json types are strange

* I have much to learn about golang

* fix time and signing key

* add http lib

* fixed claims up since we don't need custom claims

* add libs

* forgot ioutil

* forgot ioutil

* moved back to pusher location

* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov

* update dependencies

* do JWTs properly

* finished oidc flow, fixed up tests to work better

* updated comments, added test that we set expiresOn properly

* got confused with header and post vs get

* clean up debug and test dir

* add login.gov to README, remove references to my repo

* forgot to remove un-needed code

* can use sample_key* instead of generating your own

* updated changelog

* apparently golint wants comments like this

* linter wants non-standard libs in a separate grouping

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback

* github doesn't seem to do gofmt when merging.  :-)

* update CODEOWNERS

* check the nonce

* validate the JWT fully

* forgot to add pubjwk-url to README

* unexport the struct

* fix up the err masking that travis found

* update nonce comment by request of @JoelSpeed

* argh.  Thought I'd formatted the merge properly, but apparently not.

* fixed test to not fail if the query time was greater than zero
2019-03-20 13:44:51 +00:00
Adam Szalkowski
c7193b4085 Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com> 2019-03-11 14:05:16 +01:00
Ben
66c5eb3174 Small clarification around health checks (#84)
Type: docs
I simply added the word health check. I was searching all over the
package for a health check, to only realise that it had been called
ping. I think the small addition might help others avoid my troubles.
2019-03-05 14:09:30 +00:00
Marcel D. Juhnke
8816a2a972 Add -skip-oidc-discovery option (#41)
* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added --skip-oidc-discovery option

* added --skip-oidc-discovery option

* add simple test for skip-oidc-discovery option

* revert Dockerfile to pusher upstream

* revert Dockerfile to pusher upstream

* remove karrieretutor b2c option leftover

* remove karrieretutor b2c option leftover

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* replace fake http client with NewProvider() from go-oidc

* remove OIDC UserInfo URL option (not required)

* add info about -skip-oidc-discovery to README

* add note to changelog

* Update outdated comment
2019-03-04 13:54:22 +00:00
David Holsgrove
2280b42f59 Access token forwarding through nginx auth request (#68)
* Access token forwarding through nginx auth request

Related to #420.

(cherry picked from commit b138872bea)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Improved documentation for auth request token

(cherry picked from commit 6fab314f72)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Update README.md

Example should set header as `X-Access-Token`

Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>

* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68

* Fix Changelog message location
2019-02-22 07:49:57 +00:00
Zadkiel
da7d340519
Reorder arg line 2019-02-13 16:36:45 +01:00
Zadkiel
7404195c6e
Add oidc-issuer-url arg to README 2019-02-13 16:34:46 +01:00
Joel Speed
09c6bd77ed
Add note on changed flush-interval behaviour 2019-02-08 14:16:41 +00:00
Joel Speed
5b95ed3552
Update release notes for v3.1.0 2019-02-08 11:57:17 +00:00
Joel Speed
fb13ee87c8
Merge pull request #34 from marratj/cookie-separator
Change cookie index separator to underscore
2019-02-03 13:21:51 +00:00
Marcel D. Juhnke
72d4c49be0 remove duplicate lines 2019-02-02 15:00:10 +01:00
Joel Speed
cd37a14fc0
Added more context as suggested by JoelSpeed.
Co-Authored-By: marratj <marrat@marrat.de>
2019-02-02 12:47:21 +01:00
Marcel Juhnke
c574346086 add nginx cookie part extraction to README 2019-02-01 18:10:44 +01:00
Joel Speed
81f77a55de
Add note on subdomain behaviour 2019-01-30 17:30:48 +00:00
Joel Speed
0925b88d17
Update documentation and changelog 2019-01-22 11:36:52 +00:00
Joel Speed
d472cf1645
Release v3.0.0 2019-01-14 10:07:22 +00:00
Joel Speed
f80ce246f3
Fix repo link 2019-01-07 16:43:27 +00:00
Joel Speed
39d11b486f
Fix Quay link 2018-12-20 14:30:37 +00:00
Joel Speed
52f27f76dd
Add docker image note to README 2018-12-20 14:28:13 +00:00
Joel Speed
3253bef854
Add CONTRIBUTING guide 2018-12-20 14:14:04 +00:00
Joel Speed
d41089d315
Update README to reflect new repo ownership 2018-11-27 12:08:21 +00:00
Joel Speed
bfdccf681a
Add Fork notice 2018-11-27 11:23:37 +00:00
Jérôme Lecorvaisier
2db0443e04
typo(README): Terminiation » Termination 2018-03-01 12:10:02 -05:00
Pierce Lopez
20e87edde8 README: fix nginx auth_request example for requests with body
Nginx never sends the body with the auth_request sub-request, but
keeps the original Content-Length header by default. Without some
config tweaks, this results in the request to /oauth2/auth hanging.
2017-12-18 20:55:37 -05:00
Tanvir Alam
faff555c55
Merge pull request #423 from Jimdo/configure_accesslog_format
Make Request Logging Format Configurable
2017-12-04 12:56:54 -05:00
Paul Seiffert
69550cbb23 Document request-logging-format option 2017-12-04 12:52:47 -05:00
Tanvir Alam
dc65ff800f distribution: create sha256sum.txt file when creating binaries to allow validation of checksums.
* update README.md to include instructions on how to verify prebuilt binaries for new releases.
2017-11-21 15:00:30 -05:00
Tanvir Alam
f2a995b8d9 providers: update gitlab api endpoint to use latest version, v4 2017-11-06 12:05:58 -05:00
Jehiah Czebotar
bfda078caa Merge pull request #376 from reedloden/make-cookie-domain-optional
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
2017-10-23 14:14:45 -04:00
Jehiah Czebotar
fd3925d204 Merge pull request #444 from Starefossen/patch-1
Clarify that GitHub team option in README
2017-10-23 11:52:21 -04:00
Joshua Carp
d118cb7bbb Drop deprecated MyUSA provider.
[Resolves #390]
2017-10-08 01:01:15 -04:00
Jehiah Czebotar
e87c3eee13 Merge pull request #389 from ericchiang/oidc-provider
*: add an OpenID Connect provider
2017-09-09 20:44:59 -04:00
Eric Chiang
cb48577ede *: add an OpenID Connect provider
See the README for usage with Dex or any other OIDC provider.

To test run a backend:

    python3 -m http.server

Run dex and modify the example config with the proxy callback:

    go get github.com/coreos/dex/cmd/dex
    cd $GOPATH/src/github.com/coreos/dex
    sed -i.bak \
      's|http://127.0.0.1:5555/callback|http://127.0.0.1:5555/oauth2/callback|g' \
       examples/config-dev.yaml
    make
    ./bin/dex serve examples/config-dev.yaml

Then run the oauth2_proxy

    oauth2_proxy \
      --oidc-issuer-url http://127.0.0.1:5556/dex \
      --upstream http://localhost:8000 \
      --client-id example-app \
      --client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \
      --cookie-secret foo \
      --email-domain '*' \
      --http-address http://127.0.0.1:5555 \
      --redirect-url http://127.0.0.1:5555/oauth2/callback \
      --cookie-secure=false

Login with the username/password "admin@example.com:password"
2017-09-08 09:32:51 -07:00
Hans Kristian Flaatten
94574df274 Clarify that GitHub team slug name should be used for the -github-team option 2017-09-05 22:58:53 +02:00
Jehiah Czebotar
678290035c Merge pull request #410 from sobolevn/patch-1
Updates README.md with svg badge
2017-08-28 20:50:07 -04:00
Christian Svensson
f4321c4b45 Update cookie generation to match base64 encoding
Current code is using URLEncoding but example was using the
standard RFC 4648 encoding. Switch to using the URL
encoding in the example as well.
2017-07-20 13:28:41 +02:00
Nikita Sobolev
e6e60c4b60 Updates README.md with svg badge 2017-06-29 09:36:31 +03:00
Bart Spaans
7fea71a4ce Update Google Auth Provider instructions 2017-06-21 11:03:24 +01:00
Shivansh Dhar
c8c6b66465 Fix spelling mistake in docs 2017-06-09 12:17:24 -04:00
Pierce Lopez
6d295f8446 README: nginx auth_request example refresh cookie handling
how to pass back the refreshed oauth2_proxy cookie from an nginx auth_request
2017-04-24 17:59:21 -04:00
Pierce Lopez
7f5672b433 README: simplify nginx auth_request example
/oauth2/auth is not more sensitive than other /oauth2/ paths,
does not need "internal" protection

"spdy" protocol is obsolete, http2 is the thing to enable now.
But it's orthogonal anyway.

No need for two separate content/upstream location blocks in
this example, reduce to just one, with a comment that it could
be serving files instead of proxying.
2017-04-24 17:56:15 -04:00
Reed Loden
b6bd878f27 Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies
if the `__Host-` prefix is used
(https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2).

There's no need to set it to the host by default, so make it optional. If it is
set to a non-empty value, still output a warning if it is not a suffix of the
host, as that's likely not wanted.

Fixes #352.
2017-04-24 13:03:40 -07:00
Jehiah Czebotar
f457a9042a Readme: update --help usage 2017-04-24 12:16:16 -04:00
Jehiah Czebotar
3fa5635d6c
Release 2.2.0 2017-04-24 12:11:23 -04:00
idntfy
1e7d2a08a3 #369: Optionally allow skipping authentication for preflight requests 2017-04-07 15:01:47 +03:00
Ashish Kulkarni
fe44b89f57 update documentation for Nginx auth_request mode 2017-03-29 21:28:55 +05:30
Jehiah Czebotar
dcf62d06df option for skipping OAuth provider SSL verification 2017-03-29 10:57:07 -04:00
Omar Elazhary
24f91a0b60 Allow to pass user headers only (issue #205)
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
2017-01-24 11:11:58 +01:00
ReadmeCritic
4203c26d7c Correct the spelling of GitHub in README 2016-11-18 09:31:22 -08:00