Commit Graph

121 Commits

Author SHA1 Message Date
Justin Burnham
7dd5d299e1 Add support for setting the basic auth password.
For tools that don't like empty passwords, this change allows
one to set a shared secret password for all users.
2015-07-24 09:17:43 +00:00
mattk42
6cd3e72e09 Check email validity on all requests rather than only on login/refresh 2015-07-14 08:40:59 -06:00
Jehiah Czebotar
d49c3e167f SessionState refactoring; improve token renewal and cookie refresh
* New SessionState to consolidate email, access token and refresh token
* split ServeHttp into individual methods
* log on session renewal
* log on access token refresh
* refactor cookie encription/decription and session state serialization
2015-07-02 23:09:11 -04:00
Jehiah Czebotar
8d50b372e4 immediately redeem refresh token for provider==Google 2015-06-23 13:56:14 -04:00
Jehiah Czebotar
e9b5631eed cookie refresh: validation fixes, interval changes
* refresh now calculated as duration from cookie set
2015-06-23 07:51:00 -04:00
Jehiah Czebotar
d78aa13464 v2.0 & cleanup changes
* bump version to 2.0
* remove --cookie-https-only option
* add windows build to dist.sh
* rename --cookie-key to --cookie-name
2015-06-12 13:07:26 -04:00
Jehiah Czebotar
f5b2b20f67 support TLS directly 2015-06-07 23:14:48 -04:00
Jehiah Czebotar
f5db2e1ff7 More complete HTTP error logging 2015-06-07 21:03:53 -04:00
Jehiah Czebotar
56d19b1c84 disable email validation; rename email-domain argument
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
2015-06-06 14:37:54 -04:00
tonymeng
c5ccd43767 Enable specific oauth2proxy path; change cookie name to _oauth2proxy 2015-06-06 14:21:42 -04:00
Jehiah Czebotar
b96a078839 Project Rename -> oauth2_proxy 2015-05-21 02:55:04 -04:00
Jehiah Czebotar
37b38dd2f4 Github provider 2015-05-21 02:21:19 -04:00
Mike Bland
8471f972e1 Move ValidateToken() to Provider 2015-05-21 02:06:23 -04:00
Jehiah Czebotar
9047920e90 Merge pull request #88 from 18F/auto-refresh
Auto refresh auth token
2015-05-11 22:24:50 -04:00
Mike Bland
5b07d9fcef Provide a robots.txt that denies all crawlers 2015-05-10 15:15:52 -04:00
Mike Bland
37f287bef4 Calculate cookie expiration from encoded timestamp
Found out the hard way that _incoming_ cookies do _not_ have their expiration
timestamps encoded. To perform auto-refresh based on expiration time, we have
to recalculate it from the time encoded in the cookie value.
2015-05-10 00:11:26 -04:00
Mike Bland
8ec967ac32 Check cookie_secret size when cookie_refresh set 2015-05-09 17:37:33 -04:00
Mike Bland
84190ab19a Validate user during cookie refresh 2015-05-09 16:54:27 -04:00
Mike Bland
610341a068 Make ProcessCookie() fail when cookie parse fails 2015-05-09 16:54:27 -04:00
Mike Bland
bd4eae8fec Store access token when cookie-refresh is set
cookie-refresh now no longer requires pass-access-token in order to work.
2015-05-09 16:54:27 -04:00
Mike Bland
b6e07d51b2 Validate access_token when auto-refreshing cookie 2015-05-09 15:09:31 -04:00
Mike Bland
25372567ac ValidateToken() to check access_token validity 2015-05-09 13:17:37 -04:00
Mike Bland
72857018ee Introduce validate-url flag/config 2015-05-08 17:13:35 -04:00
Mike Bland
8e2d83600c Implement cookie auto-refresh
The intention is to refresh the cookie whenever the user accesses an
authenticated service with less than `cookie-refresh` time to go before the
cookie expires.
2015-05-08 14:05:09 -04:00
Mike Bland
f554f99abd Ensure all errors are logged in ProcessCookie() 2015-05-08 14:05:09 -04:00
Mike Bland
beed9fb9a2 Extract MakeCookie() 2015-05-08 14:05:09 -04:00
Mike Bland
1bd90cefe7 Extract ProcessCookie() from ServeHTTP() 2015-05-08 12:41:22 -04:00
Mike Bland
9887ac3be5 Refactor cookie building and parsing
Extracts buildCookieValue() and parseCookieValue() from OauthProxy.ServeHTTP()
and adds tests for both.
2015-04-07 05:53:41 -04:00
Mike Bland
cf79fd9e4c Refactor pass_access_token+cookie_secret check
Moves the check from NewOauthProxy() to Options.Validate() and adds a test.
2015-04-07 05:53:40 -04:00
Mike Bland
5f747bb768 Redirect to / when /oauth2/sign_in accessed
Without this change, clicking the sign-in button on /oauth2/sign_in will
always redirect back to /oauth2/sign_in, essentially creating an infinite
loop.
2015-04-06 22:10:03 -04:00
Mike Bland
ad3c9a886f Pass the access token to the upstream client
This is accomplished by encoding the access_token in the auth cookie and
unpacking it as the X-Forwarded-Access-Token header for upstream requests.
2015-04-03 15:32:01 -04:00
Mike Bland
666e6ad436 Add ProviderName field; use in sign_in template 2015-03-31 12:59:07 -04:00
Mike Bland
d9a945ebc3 Integrate Provider into Options and OauthProxy 2015-03-31 09:34:50 -04:00
Mike Bland
45286af4a4 s/18F/bitly/ in import path 2015-03-30 11:42:37 -04:00
Mike Bland
9d8f932797 Extract api package
This is the first step towards genericizing the google_auth_proxy to support
OAuth2 providers other than Google as discussed in #65. The `api` package will
enable multiple providers to use the same `api.Request()` implementation.
2015-03-30 10:23:30 -04:00
Jehiah Czebotar
16f2c981f3 fix upstream request path 2015-03-21 15:29:07 -04:00
Jehiah Czebotar
b9b5e817fc improve request logging (closer to Apache Common Log) 2015-03-19 22:34:01 -04:00
Jehiah Czebotar
07c74f55c6 improve handling of cookie domains 2015-03-19 16:18:02 -04:00
Jehiah Czebotar
de04e0c519 rename cookie secure flag 2015-03-19 14:08:17 -04:00
Jehiah Czebotar
ebae065b11 make redirect_uri optional 2015-03-19 14:03:05 -04:00
Jehiah Czebotar
71ae70834d pass raw unencoded request URI upstream 2015-03-19 13:18:49 -04:00
Jehiah Czebotar
2b2324e410 support (optional) custom templates 2015-03-17 18:11:58 -04:00
Jehiah Czebotar
263e16eeea add --proxy-host-header option 2015-03-17 15:53:01 -04:00
John Boxall
24ef555547 Requests are proxied to the Host specified by the target. 2015-03-17 15:04:27 -04:00
John Boxall
20a152261c Adds failing test for using upstream Host header. 2015-03-17 15:04:27 -04:00
Jehiah Czebotar
601ae6f4ec Merge pull request #60 from tomtaylor/gofmt-fixes
Run gofmt over source
2015-01-19 12:48:57 -05:00
Tom Taylor
5201f26ffc Run gofmt over source. 2015-01-19 16:10:37 +00:00
Tom Taylor
132e3d91d6 Add flag to enable/disable cookie's HttpOnly flag. 2015-01-19 16:00:49 +00:00
vishnu chilamakuru
c4d25d271f Adding Support for multi white listed urls with regex url match. 2015-01-12 14:48:41 +05:30
drew
69804e588a Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 14:38:57 -06:00
Jehiah Czebotar
1f515eba3c options bug fixes; set https cookies on by default 2014-11-09 22:21:46 -05:00
Jehiah Czebotar
a49eadadeb template updates to display version 2014-11-09 22:01:50 -05:00
Jehiah Czebotar
9060feb436 better environment parsing 2014-11-09 21:12:36 -05:00
Jehiah Czebotar
d4fe9a4f57 Add config file support 2014-11-09 20:33:12 -05:00
Jehiah Czebotar
bc26835076 always set httponly (there is no good reason not to); simplify httponly and expire flags 2014-11-08 14:32:35 -05:00
Igor Dolgiy
6cdf05e7f2 Added cookie settings 2014-11-08 13:35:45 -05:00
Jehiah Czebotar
23a89b06de Merge pull request #22 from dbrgn/empty_upstream_path
Handle upstreams without a trailing slash
2014-11-08 19:17:44 +01:00
Roger Hu
ec9c11ed28 Pass in the original email address too as X-Forwarded-Email. 2014-11-08 07:33:14 -08:00
Jason Swank
1e29aa1c12 Make /ping endpoint respond with "OK" 2014-10-14 17:05:59 -04:00
Jason Swank
8702ad2e52 Add /ping endpoint 2014-10-14 16:22:38 -04:00
Jehiah Czebotar
98fb800de4 update to new scopes 2014-08-07 20:49:28 +00:00
Danilo Bargen
b3bbc3ca20 Handle upstreams without a trailing slash 2014-07-08 15:06:41 +02:00
Danilo Bargen
cfe186d6cb Fixed wrong error message 2014-07-08 14:07:07 +02:00
Sean O'Connor
11ce460209 Updated redirect arg handling to only happen when needed. 2013-10-24 17:40:29 +00:00
Sean O'Connor
d2b1815d43 After authentication, redirect to original URI. 2013-10-23 20:29:39 +00:00
Jehiah Czebotar
c97de52200 handle sign in directly (if using htpasswd) 2012-12-26 18:26:03 +00:00
Jehiah Czebotar
4367e47a46 don't promote htpasswd auth; auth directly 2012-12-26 16:55:20 +00:00
Jehiah Czebotar
c459806ab0 promote basic auth to cookie 2012-12-26 10:35:02 -05:00
Jehiah Czebotar
42f539109e testing 2012-12-17 13:38:33 -05:00
Jehiah Czebotar
42359333b2 cleanup error handling 2012-12-17 13:15:23 -05:00
Jehiah Czebotar
fb636396a3 initial code import 2012-12-10 20:59:23 -05:00