Commit Graph

310 Commits

Author SHA1 Message Date
Reed Loden
b6bd878f27 Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies
if the `__Host-` prefix is used
(https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2).

There's no need to set it to the host by default, so make it optional. If it is
set to a non-empty value, still output a warning if it is not a suffix of the
host, as that's likely not wanted.

Fixes #352.
2017-04-24 13:03:40 -07:00
Jehiah Czebotar
b90a23473f Merge pull request #380 from jehiah/release_380
Release v2.2
2017-04-24 12:22:11 -04:00
Jehiah Czebotar
f457a9042a Readme: update --help usage 2017-04-24 12:16:16 -04:00
Jehiah Czebotar
3fa5635d6c
Release 2.2.0 2017-04-24 12:11:23 -04:00
Jehiah Czebotar
f511cac6a6 Merge pull request #365 from travisofthenorth/fix/default-http-address
Fix url parse error
2017-04-20 14:57:39 -04:00
Jehiah Czebotar
120a47a526 Merge pull request #370 from idntfy/master
#369: Optionally allow skipping authentication for preflight requests
2017-04-07 09:20:33 -04:00
idntfy
1e7d2a08a3 #369: Optionally allow skipping authentication for preflight requests 2017-04-07 15:01:47 +03:00
Travis Hunter
f983933d88
Parse http address without url 2017-04-02 16:23:27 -04:00
Jehiah Czebotar
af7be2d622 Merge pull request #319 from advarisk/auth-request
various fixes for getting Nginx auth_request mode working
2017-03-29 12:14:24 -04:00
Ashish Kulkarni
fe44b89f57 update documentation for Nginx auth_request mode 2017-03-29 21:28:55 +05:30
Sjoerd Mulder
90a22b2f39 Use X-Auth-Request-Redirect request header in sign-in page
This is useful in Nginx auth_request mode, if a 401 handler is
configured to redirect to the sign-in page. As the request URL
does not reflect the actual URL, the value is taken from the
header "X-Auth-Request-Redirect" instead. Based on #247
2017-03-29 21:28:55 +05:30
Lukasz Siudut
829b442302 add --set-xauthrequest flag for use in Nginx auth_request mode
This is enhancement of #173 to use "Auth Request" consistently in
the command-line option, configuration file and response headers.
It always sets the X-Auth-Request-User response header and if the
email is available, sets X-Auth-Request-Email as well.
2017-03-29 21:28:55 +05:30
Jehiah Czebotar
93852a24cb Merge pull request #362 from jehiah/ssl_insecure_skip_verify_362
Option to skip SSL verification
2017-03-29 11:02:26 -04:00
Jehiah Czebotar
dcf62d06df option for skipping OAuth provider SSL verification 2017-03-29 10:57:07 -04:00
Jehiah Czebotar
bb9b607440 Merge pull request #361 from jehiah/gofmt_361
travis: run gofmt and go vet
2017-03-29 09:53:19 -04:00
Jehiah Czebotar
c5fc7baa86 gofmt 2017-03-29 09:36:38 -04:00
Jehiah Czebotar
c1116ea506 travis: run gofmt and go vet 2017-03-29 09:36:23 -04:00
Jehiah Czebotar
4464655276 Merge pull request #360 from jehiah/csrf_validation_360
CSRF protection for OAuth flow.
2017-03-29 09:36:04 -04:00
Colin Arnott
55085d9697 csrf protection; always set state 2017-03-29 09:31:10 -04:00
Jehiah Czebotar
6c690b699b Merge pull request #339 from omazhary/issue-205
Allow to pass user headers only
2017-03-28 21:42:29 -04:00
Jehiah Czebotar
107b4811b4 Merge pull request #346 from bdwyertech/patch-1
Oversize Cookie Alert
2017-03-28 21:40:11 -04:00
Jehiah Czebotar
cd0d13e3fb Merge pull request #357 from wrapp/skip-group-lookup-404
Skip 404 errors when looking up Google groups
2017-03-28 21:38:55 -04:00
Jehiah Czebotar
86d083266b Merge pull request #359 from jehiah/redirect_check_359
Improve redirect checks
2017-03-28 21:34:23 -04:00
Colin Arnott
289a6ccf46 add check for //.* to prevent open redirect during oauth 2017-03-28 21:12:33 -04:00
Eskil Andreen
652f43ed38 Skip 404 errors when looking up Google groups
When checking user membership against Google groups the groups are checked one
at a time and in the order that they were supplied. If one of the groups does
not exist then the checking is halted with the following error.

google.go:201: googleapi: Error 404: Resource Not Found: groupKey, notFound

None of the groups following the missing group are checked either. This means
that something as trivial as a typo in the first group will make it impossible
for anybody to login.

This change catches the 404, logs a message, and then carries on as usual. In
this way a typo will cause a particular group to stop working but will not
affect any other groups.
2017-03-28 16:06:15 +02:00
Jehiah Czebotar
712739f777 Merge pull request #356 from jehiah/bump_dependencies_356
Update vendored dependencies.
2017-03-27 21:07:08 -04:00
Jehiah Czebotar
2ebab604eb bump golang.org/x/... and google.golang.org dependencies 2017-03-27 20:56:15 -04:00
Jehiah Czebotar
b884b36f26 bump easy pkg upgrades; drop Go 1.6 (no httptest.NewRequest)
This fixes a test w request signing due to a content-length:0 header from Go 1.8
2017-03-27 20:36:35 -04:00
Jehiah Czebotar
951b5f325b Merge pull request #355 from ploxiln/dist_updates
dist.sh and Godeps updates
2017-03-27 20:16:44 -04:00
Pierce Lopez
9167c8ace8 travis: update go versions, gpm version 2017-03-27 19:40:12 -04:00
Pierce Lopez
a2eeec2b7a Godeps: remove redundant dep, add missing
golang.org/x/oauth2/google is same repo as golang.org/x/oauth2
  - this sometimes confused gpm/git

cloud.google.com/go/compute/metadata is a missing dependency
of golang.org/x/oauth2
2017-03-27 19:17:42 -04:00
Pierce Lopez
2024dc34ac dist.sh: run gpm with GOPATH=$DIR/.godeps
so gpm is not affected if module exists in user's GOPATH already
2017-03-27 19:13:05 -04:00
Pierce Lopez
86c9638572 dist.sh: already uses set "-e", remove "|| exit 1" 2017-03-27 18:16:39 -04:00
Jehiah Czebotar
7d920c98a6 Merge pull request #354 from ploxiln/dist_win_exe
dist.sh: add .exe for windows build
2017-03-27 14:49:40 -04:00
Pierce Lopez
bc3fe00be4 dist.sh: add .exe for windows build 2017-03-27 14:35:28 -04:00
Jehiah Czebotar
87847316d4 Merge pull request #349 from braincube-io/signout
[signout] Implement logout endpoint
2017-03-22 23:08:47 -04:00
Guillaume Bienkowski
562cc2e466 [signout] Implement logout endpoint 2017-03-21 17:40:47 +01:00
Brian Dwyer
3379e05fec Oversize Cookie Alert
Cookies cannot be larger than 4kb
2017-02-23 18:48:34 -05:00
Omar Elazhary
24f91a0b60 Allow to pass user headers only (issue #205)
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
2017-01-24 11:11:58 +01:00
Jehiah Czebotar
89ba1d813a Merge pull request #322 from ReadmeCritic/master
Correct the spelling of GitHub in README
2016-11-18 13:00:22 -05:00
ReadmeCritic
4203c26d7c Correct the spelling of GitHub in README 2016-11-18 09:31:22 -08:00
Jehiah Czebotar
a9c55bd6d1 Merge pull request #299 from tamsky/fix-travis-vs-upstream-golang-dependency
repo golang.org/x/oauth2/google has moved, fixes travis build
2016-08-24 22:01:54 -04:00
Marc Tamsky
e0a1831452 upstream vendor import paths have changed.
this fixes the travis build, which is broken
2016-08-24 16:58:38 -07:00
Jehiah Czebotar
a0e4a36821 Merge pull request #292 from nickmiller-wf/redact-access-token
Strip sensitive URL parameters from provider log output
2016-08-02 23:19:22 -04:00
nickmiller-wf
c566648127 add stripParam and stripToken methods to obfuscate log output 2016-08-02 21:01:44 -06:00
Jehiah Czebotar
78f2fe1306 Merge pull request #290 from MarkHerhold/patch-2
Adding skip-provider-button docs
2016-07-30 23:16:30 -04:00
Mark Herhold
116b84906e Adding skip-provider-button docs 2016-07-30 22:34:28 -04:00
Jehiah Czebotar
2f0f95b523 Merge pull request #279 from tanuck/bump-travis-version
Bump travis version
2016-07-19 16:41:44 -04:00
James Tancock
6cbc339442
Bump travis version 2016-07-19 21:29:19 +01:00
tanuck
c015075996 Validate cookie name (#278)
Validate cookie name passes go's isCookieNameValid check
2016-07-19 15:51:25 -04:00