Commit Graph

81 Commits

Author SHA1 Message Date
Gabor Lekeny
eacba4ec7d Add id_token refresh to Google provider (#83) 2019-03-05 14:07:10 +00:00
Karl Skewes
80b5873a26 Potentially breaking change: docker user & group
Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.

Least access privileges.
Close: https://github.com/pusher/oauth2_proxy/issues/78

Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]
```

Running in Kubernetes 1.13 with the following also specified:
```
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
```

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->

- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
2019-03-05 21:37:04 +13:00
Marcel D. Juhnke
8816a2a972 Add -skip-oidc-discovery option (#41)
* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added --skip-oidc-discovery option

* added --skip-oidc-discovery option

* add simple test for skip-oidc-discovery option

* revert Dockerfile to pusher upstream

* revert Dockerfile to pusher upstream

* remove karrieretutor b2c option leftover

* remove karrieretutor b2c option leftover

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* replace fake http client with NewProvider() from go-oidc

* remove OIDC UserInfo URL option (not required)

* add info about -skip-oidc-discovery to README

* add note to changelog

* Update outdated comment
2019-03-04 13:54:22 +00:00
MisterWil
45742d326d Merge remote-tracking branch 'origin/master' into enhanced_logging 2019-02-26 08:27:06 -08:00
David Holsgrove
2280b42f59 Access token forwarding through nginx auth request (#68)
* Access token forwarding through nginx auth request

Related to #420.

(cherry picked from commit b138872bea)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Improved documentation for auth request token

(cherry picked from commit 6fab314f72)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Update README.md

Example should set header as `X-Access-Token`

Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>

* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68

* Fix Changelog message location
2019-02-22 07:49:57 +00:00
MisterWil
398f85c30f Updated changelog 2019-02-15 10:29:24 -08:00
Joel Speed
09c6bd77ed
Add note on changed flush-interval behaviour 2019-02-08 14:16:41 +00:00
Joel Speed
5b95ed3552
Update release notes for v3.1.0 2019-02-08 11:57:17 +00:00
Joel Speed
92c4424639
Merge pull request #37 from kskewes/dockerarm
feat(arm): Cross build arm and arm64 docker images
2019-02-04 10:36:40 +00:00
Joel Speed
fa2545636b
Merge pull request #15 from pusher/whitelist-domains
Whitelist domains
2019-02-02 18:55:37 +00:00
Karl Skewes
90e6bd278e feat(arm): Cross build arm and arm64 docker images
- Requires `qemu-user-static`, added to travis - maybe incorrect?
- Add build guide
- `.gitignore` `release/` directory
2019-02-02 13:25:20 +13:00
Joel Speed
c6d2126dcc
Merge pull request #35 from kskewes/build
feat(arm): Makefile add armv6 and arm64 to releases
2019-01-31 20:29:45 +00:00
Karl Skewes
2bdf00a692 feat(arm): Makefile add armv6 and arm64 to releases 2019-02-01 08:30:50 +13:00
Steve Arch
01c5f5ae3b Implemented flushing interval (#23)
* Implemented flushing interval

When proxying streaming responses, it would not flush the response writer buffer until some seemingly random point (maybe the number of bytes?). This makes it flush every 1 second by default, but with a configurable interval.

* flushing CHANGELOG

* gofmt and goimports
2019-01-31 14:02:15 +00:00
Joel Speed
987b25fae7
Add whitelist domain to changelog 2019-01-30 17:31:30 +00:00
Steve Arch
090ff11923 redirect to original path after login (#24)
* redirect to original path after login

* tests for new redirect behaviour

* fixed comment

* added redirect fix to changelog
2019-01-29 12:13:02 +00:00
Joel Speed
0925b88d17
Update documentation and changelog 2019-01-22 11:36:52 +00:00
Joel Speed
77766f0b2b
Update changelog for Docker Improvements 2019-01-22 10:11:40 +00:00
Joel Speed
9e9b1f97f2
Fix changelog PR link 2019-01-14 10:47:01 +00:00
Joel Speed
d472cf1645
Release v3.0.0 2019-01-14 10:07:22 +00:00
Joel Speed
372ecd0cf8
Introduce Makefile 2019-01-04 10:58:30 +00:00
Joel Speed
9096c70e96
Remove Go v1.8.x from Travis CI 2019-01-03 10:56:10 +00:00
Joel Speed
381e878574
Add CODEOWNERS file 2019-01-02 10:22:18 +00:00
Joel Speed
3253bef854
Add CONTRIBUTING guide 2018-12-20 14:14:04 +00:00
Joel Speed
8564ab6e86
Add Issue and Pull Request templates 2018-12-20 12:02:35 +00:00
Joel Speed
7fa913e51c
Add Dockerfile 2018-12-20 11:06:26 +00:00
Joel Speed
fa21208005
Fix fsnotify import 2018-11-27 12:08:22 +00:00
Joel Speed
d41089d315
Update README to reflect new repo ownership 2018-11-27 12:08:21 +00:00
Joel Speed
bc93198aa7
Update CI to separate linting and testing 2018-11-27 12:08:20 +00:00
Joel Speed
847cf25228
Move imports from bitly to pusher 2018-11-27 11:45:05 +00:00
Joel Speed
bfdccf681a
Add Fork notice 2018-11-27 11:23:37 +00:00