Commit Graph

77 Commits

Author SHA1 Message Date
Joel Speed
c9fbf5d3c9
Move cookie to pkg/encryption 2019-06-08 07:46:06 +01:00
Joel Speed
8027cc454e
Move api to pkg/requests 2019-06-08 07:40:43 +01:00
Joel Speed
34cbe0497c
Add CreatedAt to SessionState 2019-05-20 11:26:09 +02:00
Joel Speed
2ab8a7d95d
Move SessionState to its own package 2019-05-18 13:09:56 +02:00
Phil Taprogge
56da8387c0
Include JWT sub as User 2019-05-07 11:57:17 +01:00
Phil Taprogge
15f48fb95e
Don't infer username from email local part if username not set 2019-05-07 10:36:00 +01:00
MisterWil
8ec025f536 Auth and standard logging with file rolling 2019-04-12 08:59:46 -07:00
Joel Speed
d00e3bddf5
Merge branch 'master' into verified 2019-04-11 13:49:56 +01:00
Costel Moraru
f7c85a4d16 Removing obsolete comment from EncodeSessionState 2019-04-10 15:28:03 +03:00
Costel Moraru
f5a6609b45 Fixing lint error 2019-04-09 15:17:40 +03:00
Costel Moraru
4f7517b2f9 Encrypting user/email from cookie 2019-04-09 14:55:33 +03:00
Carlos Alexandro Becker
24f36f27a7
fix: check if it is both primary and verified 2019-03-20 13:52:30 -03:00
Carlos Alexandro Becker
95ee4358b2
Merge remote-tracking branch 'upstream/master' into verified 2019-03-20 13:46:04 -03:00
YAEGASHI Takeshi
2070fae47c Use encoding/json for SessionState serialization (#63)
* Use encoding/json for SessionState serialization

In order to make it easier to extend in future.

* Store only email and user in cookie when cipher is unavailable

This improves safety and robustness, and also preserves the existing
behaviour.

* Add TestEncodeSessionState/TestDecodeSessionState

Use the test vectors with JSON encoding just introduced.

* Support session state encoding in older versions

* Add test cases for legacy session state strings

* Add check for wrong expiration time in session state strings

* Avoid exposing time.Time zero value when encoding session state string

* Update CHANGELOG.md
2019-03-20 13:59:24 +00:00
Tim Spencer
8cc5fbf859 add login.gov provider (#55)
* first stab at login.gov provider

* fixing bugs now that I think I understand things better

* fixing up dependencies

* remove some debug stuff

* Fixing all dependencies to point at my fork

* forgot to hit save on the github rehome here

* adding options for setting keys and so on, use JWT workflow instead of PKCE

* forgot comma

* was too aggressive with search/replace

* need JWTKey to be byte array

* removed custom refresh stuff

* do our own custom jwt claim and store it in the normal session store

* golang json types are strange

* I have much to learn about golang

* fix time and signing key

* add http lib

* fixed claims up since we don't need custom claims

* add libs

* forgot ioutil

* forgot ioutil

* moved back to pusher location

* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov

* update dependencies

* do JWTs properly

* finished oidc flow, fixed up tests to work better

* updated comments, added test that we set expiresOn properly

* got confused with header and post vs get

* clean up debug and test dir

* add login.gov to README, remove references to my repo

* forgot to remove un-needed code

* can use sample_key* instead of generating your own

* updated changelog

* apparently golint wants comments like this

* linter wants non-standard libs in a separate grouping

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback

* github doesn't seem to do gofmt when merging.  :-)

* update CODEOWNERS

* check the nonce

* validate the JWT fully

* forgot to add pubjwk-url to README

* unexport the struct

* fix up the err masking that travis found

* update nonce comment by request of @JoelSpeed

* argh.  Thought I'd formatted the merge properly, but apparently not.

* fixed test to not fail if the query time was greater than zero
2019-03-20 13:44:51 +00:00
Carlos Alexandro Becker
b49aeb222b
fix: should check if email is verified 2019-03-11 14:52:08 -03:00
Aigars Mahinovs
7acec6243b Fall back to using OIDC Subject instead of Email
Email is not mandatory field, Subject is mandatory and expected to be unique. Might want to take a look at UserInfo first, however.

Issue: #56
2019-03-08 13:39:08 +01:00
Gabor Lekeny
eacba4ec7d Add id_token refresh to Google provider (#83) 2019-03-05 14:07:10 +00:00
Joel Speed
cac2c9728d
Validate OIDC Session State 2019-01-22 11:34:57 +00:00
Joel Speed
1b638f32ac
Implement refreshing within OIDC provider 2019-01-22 11:34:56 +00:00
Joel Speed
6aa35a9ecf
Update sessions state 2019-01-22 11:34:53 +00:00
Joel Speed
68d4164897
Add Authorization header flags 2019-01-22 11:34:23 +00:00
Joel Speed
e200bd5c20
Add comments to exported methods for providers package 2018-12-20 10:37:59 +00:00
Joel Speed
8ee802d4e5
Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00
Joel Speed
847cf25228
Move imports from bitly to pusher 2018-11-27 11:45:05 +00:00
Daniel Lamando
542ef54093
Strip JWT base64 padding before parsing. #560 2018-03-08 16:44:11 -08:00
Mark Maglana
882fcf0a01 providers: iterate across all pages from /user/orgs github endpoint.
For some GHE instances where a user can have more than 100
organizations, traversing the other pages is important otherwise
oauth2_proxy will consider the user unauthorized. This change traverses
the list returned by the API to avoid that.

Update github provider tests to include this case.
2017-12-04 15:51:48 -05:00
Carlo Lobrano
731fa9f8e0 Github provider: use login as user
- Save both user and email in session state:
    Encoding/decoding methods save both email and user
    field in session state, for use cases when User is not derived from
    email's local-parth, like for GitHub provider.

    For retrocompatibility, if no user is obtained by the provider,
    (e.g. User is an empty string) the encoding/decoding methods fall back
    to the previous behavior and use the email's local-part

    Updated also related tests and added two more tests to show behavior
    when session contains a non-empty user value.

- Added first basic GitHub provider tests

- Added GetUserName method to Provider interface
    The new GetUserName method is intended to return the User
    value when this is not the email's local-part.

    Added also the default implementation to provider_default.go

- Added call to GetUserName in redeemCode

    the new GetUserName method is used in redeemCode
    to get SessionState User value.

    For backward compatibility, if GetUserName error is
    "not implemented", the error is ignored.

- Added GetUserName method and tests to github provider.
2017-11-20 20:02:27 +01:00
Tanvir Alam
a7c5d9c478
Merge pull request #421 from arnottcr/raw-url-encode
raw url encoding
2017-11-20 10:50:56 -05:00
Tanvir Alam
f2a995b8d9 providers: update gitlab api endpoint to use latest version, v4 2017-11-06 12:05:58 -05:00
Tanvir Alam
8a77cfcac3 Swap out bmizerany/assert package that is deprecated in favor of stretchr/testify/assert 2017-10-23 12:24:17 -04:00
Jehiah Czebotar
b7f9438b8a Merge pull request #473 from jmcarp/oidc-name
Add OpenID Connect provider name.
2017-10-13 09:10:44 -04:00
Joshua Carp
d118cb7bbb Drop deprecated MyUSA provider.
[Resolves #390]
2017-10-08 01:01:15 -04:00
Joshua Carp
34d96f8d84 Add OpenID Connect provider name. 2017-10-08 00:40:36 -04:00
Miouge1
a32ff08d68 Update test for default GitLab scope 2017-09-12 23:43:49 +02:00
Miouge1
982439a8d8 Reduce the default GitLab scope 2017-09-12 23:42:07 +02:00
Jehiah Czebotar
e87c3eee13 Merge pull request #389 from ericchiang/oidc-provider
*: add an OpenID Connect provider
2017-09-09 20:44:59 -04:00
Eric Chiang
cb48577ede *: add an OpenID Connect provider
See the README for usage with Dex or any other OIDC provider.

To test run a backend:

    python3 -m http.server

Run dex and modify the example config with the proxy callback:

    go get github.com/coreos/dex/cmd/dex
    cd $GOPATH/src/github.com/coreos/dex
    sed -i.bak \
      's|http://127.0.0.1:5555/callback|http://127.0.0.1:5555/oauth2/callback|g' \
       examples/config-dev.yaml
    make
    ./bin/dex serve examples/config-dev.yaml

Then run the oauth2_proxy

    oauth2_proxy \
      --oidc-issuer-url http://127.0.0.1:5556/dex \
      --upstream http://localhost:8000 \
      --client-id example-app \
      --client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \
      --cookie-secret foo \
      --email-domain '*' \
      --http-address http://127.0.0.1:5555 \
      --redirect-url http://127.0.0.1:5555/oauth2/callback \
      --cookie-secure=false

Login with the username/password "admin@example.com:password"
2017-09-08 09:32:51 -07:00
Colin Arnott
ba67e5c847
strip all log statements with the endpoint var 2017-07-13 18:33:48 +00:00
Colin Arnott
8d6e16bf22
use base64.RawURLEncoding.DecodeString() in place of a bespoke function 2017-07-13 18:29:58 +00:00
Colin Arnott
17b1fa31dd
use Authorization header, not access_token query parameter 2017-05-18 03:45:34 +00:00
Jehiah Czebotar
c5fc7baa86 gofmt 2017-03-29 09:36:38 -04:00
Colin Arnott
55085d9697 csrf protection; always set state 2017-03-29 09:31:10 -04:00
Jehiah Czebotar
cd0d13e3fb Merge pull request #357 from wrapp/skip-group-lookup-404
Skip 404 errors when looking up Google groups
2017-03-28 21:38:55 -04:00
Colin Arnott
289a6ccf46 add check for //.* to prevent open redirect during oauth 2017-03-28 21:12:33 -04:00
Eskil Andreen
652f43ed38 Skip 404 errors when looking up Google groups
When checking user membership against Google groups the groups are checked one
at a time and in the order that they were supplied. If one of the groups does
not exist then the checking is halted with the following error.

google.go:201: googleapi: Error 404: Resource Not Found: groupKey, notFound

None of the groups following the missing group are checked either. This means
that something as trivial as a typo in the first group will make it impossible
for anybody to login.

This change catches the 404, logs a message, and then carries on as usual. In
this way a typo will cause a particular group to stop working but will not
affect any other groups.
2017-03-28 16:06:15 +02:00
nickmiller-wf
c566648127 add stripParam and stripToken methods to obfuscate log output 2016-08-02 21:01:44 -06:00
Tomas Pramuka
5acf96b75d Getting mail for Azure provider fix + tests 2016-06-29 09:00:08 +02:00
Jehiah Czebotar
a0763477c5
Facebook Authentication Provider
* will not re-prompt if the email permission is denied, or if you previously authorized the same FB app without the email scope.
2016-06-23 08:43:21 -04:00
Jehiah Czebotar
bcb8064831
github: fix github enterprise support 2016-06-20 08:15:07 -04:00