Commit Graph

573 Commits

Author SHA1 Message Date
Tanvir Alam
1a82180376
Merge pull request #514 from ploxiln/readme_auth_request_body
README: fix nginx auth_request example for requests with body
2018-01-16 10:47:41 -05:00
Pierce Lopez
74d0fbc868 more robust ClearSessionCookie()
default domain changed from request Host to blank, recently
try to clear cookies for both
2017-12-18 21:16:51 -05:00
Pierce Lopez
20e87edde8 README: fix nginx auth_request example for requests with body
Nginx never sends the body with the auth_request sub-request, but
keeps the original Content-Length header by default. Without some
config tweaks, this results in the request to /oauth2/auth hanging.
2017-12-18 20:55:37 -05:00
Heather Hendy
d75f626cdd
Merge pull request #414 from relaxdiego/multi-page-org
Iterate through pages returned by List Your Organizations endpoint
2017-12-04 15:12:25 -07:00
Mark Maglana
882fcf0a01 providers: iterate across all pages from /user/orgs github endpoint.
For some GHE instances where a user can have more than 100
organizations, traversing the other pages is important otherwise
oauth2_proxy will consider the user unauthorized. This change traverses
the list returned by the API to avoid that.

Update github provider tests to include this case.
2017-12-04 15:51:48 -05:00
Tanvir Alam
faff555c55
Merge pull request #423 from Jimdo/configure_accesslog_format
Make Request Logging Format Configurable
2017-12-04 12:56:54 -05:00
Paul Seiffert
1cefc96311 Test request logging 2017-12-04 12:52:47 -05:00
Paul Seiffert
69550cbb23 Document request-logging-format option 2017-12-04 12:52:47 -05:00
Paul Seiffert
9341dcbf79 Make request logging format configurable 2017-12-04 12:52:47 -05:00
Jehiah Czebotar
085c6cf79b
Merge pull request #503 from talam/add_checksum_for_binary_releases
distribution: create sha256sum.txt file when creating version releases
2017-12-04 10:39:33 -05:00
Tanvir Alam
842a45b1db distribution: remove gpm references and update to use dep 2017-12-04 09:54:31 -05:00
Tanvir Alam
dc65ff800f distribution: create sha256sum.txt file when creating binaries to allow validation of checksums.
* update README.md to include instructions on how to verify prebuilt binaries for new releases.
2017-11-21 15:00:30 -05:00
Heather Hendy
b0c1c85177
Merge pull request #466 from clobrano/github-use-login-as-user
GitHub use login as user
2017-11-20 12:48:14 -07:00
Carlo Lobrano
731fa9f8e0 Github provider: use login as user
- Save both user and email in session state:
    Encoding/decoding methods save both email and user
    field in session state, for use cases when User is not derived from
    email's local-parth, like for GitHub provider.

    For retrocompatibility, if no user is obtained by the provider,
    (e.g. User is an empty string) the encoding/decoding methods fall back
    to the previous behavior and use the email's local-part

    Updated also related tests and added two more tests to show behavior
    when session contains a non-empty user value.

- Added first basic GitHub provider tests

- Added GetUserName method to Provider interface
    The new GetUserName method is intended to return the User
    value when this is not the email's local-part.

    Added also the default implementation to provider_default.go

- Added call to GetUserName in redeemCode

    the new GetUserName method is used in redeemCode
    to get SessionState User value.

    For backward compatibility, if GetUserName error is
    "not implemented", the error is ignored.

- Added GetUserName method and tests to github provider.
2017-11-20 20:02:27 +01:00
Heather Hendy
6ddbb2c572
Merge pull request #502 from talam/update_options_parsing
options: update options parsing for better handling of incorrect values
2017-11-20 11:00:48 -07:00
Dave Nicponski
e955d2be0e options: update options parsing for better handling of incorrect values
* don't add in failed compiled regexes for skip auth regex option
* improve test coverage for skip auth regex option to handle partial
success case
* add tests for incorrect upstream options parsing errors
2017-11-20 11:37:53 -05:00
Tanvir Alam
a7c5d9c478
Merge pull request #421 from arnottcr/raw-url-encode
raw url encoding
2017-11-20 10:50:56 -05:00
Tanvir Alam
781bd0851e
Merge pull request #491 from jehiah/dep_491
Switch from gpm -> dep for dependency management
2017-11-17 15:55:15 -05:00
Jehiah Czebotar
c4905f2347 Switch from gpm -> dep for dependency management 2017-11-16 20:58:11 -05:00
Tanvir Alam
363a0dda16
Merge pull request #448 from mbland/hmacauth
Switch from 18F/hmacauth to mbland/hmacauth
2017-11-07 09:46:06 -05:00
Mike Bland
e241fe86d3
Switch from 18F/hmacauth to mbland/hmacauth
Since I'm no longer with 18F, I've re-released hmacauth under the ISC
license as opposed to the previous CC0 license. There have been no
changes to the hmacauth code itself, and all tests still pass.
2017-11-07 07:55:24 -05:00
Jehiah Czebotar
28e217dc8f
Merge pull request #496 from talam/update_gitlab_api_endpoint
providers: update gitlab api endpoint to use latest version, v4
2017-11-06 13:15:45 -05:00
Tanvir Alam
f2a995b8d9 providers: update gitlab api endpoint to use latest version, v4 2017-11-06 12:05:58 -05:00
Jehiah Czebotar
bfda078caa Merge pull request #376 from reedloden/make-cookie-domain-optional
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
2017-10-23 14:14:45 -04:00
Jehiah Czebotar
bc1b839f7f Merge pull request #484 from talam/update_assert_package
Swap out bmizerany/assert package in favor of stretchr/testify/assert
2017-10-23 13:56:35 -04:00
Tanvir Alam
8a77cfcac3 Swap out bmizerany/assert package that is deprecated in favor of stretchr/testify/assert 2017-10-23 12:24:17 -04:00
Jehiah Czebotar
fd3925d204 Merge pull request #444 from Starefossen/patch-1
Clarify that GitHub team option in README
2017-10-23 11:52:21 -04:00
Jehiah Czebotar
b7f9438b8a Merge pull request #473 from jmcarp/oidc-name
Add OpenID Connect provider name.
2017-10-13 09:10:44 -04:00
Jehiah Czebotar
f6828631cf Merge pull request #472 from jmcarp/drop-myusa
Drop deprecated MyUSA provider.
2017-10-08 13:05:15 -04:00
Joshua Carp
d118cb7bbb Drop deprecated MyUSA provider.
[Resolves #390]
2017-10-08 01:01:15 -04:00
Joshua Carp
34d96f8d84 Add OpenID Connect provider name. 2017-10-08 00:40:36 -04:00
Jehiah Czebotar
7b26256df6 Merge pull request #447 from Miouge1/master
Use read_user as default scope for GitLab
2017-09-13 10:27:36 -04:00
Miouge1
a32ff08d68 Update test for default GitLab scope 2017-09-12 23:43:49 +02:00
Miouge1
982439a8d8 Reduce the default GitLab scope 2017-09-12 23:42:07 +02:00
Jehiah Czebotar
e87c3eee13 Merge pull request #389 from ericchiang/oidc-provider
*: add an OpenID Connect provider
2017-09-09 20:44:59 -04:00
Eric Chiang
cb48577ede *: add an OpenID Connect provider
See the README for usage with Dex or any other OIDC provider.

To test run a backend:

    python3 -m http.server

Run dex and modify the example config with the proxy callback:

    go get github.com/coreos/dex/cmd/dex
    cd $GOPATH/src/github.com/coreos/dex
    sed -i.bak \
      's|http://127.0.0.1:5555/callback|http://127.0.0.1:5555/oauth2/callback|g' \
       examples/config-dev.yaml
    make
    ./bin/dex serve examples/config-dev.yaml

Then run the oauth2_proxy

    oauth2_proxy \
      --oidc-issuer-url http://127.0.0.1:5556/dex \
      --upstream http://localhost:8000 \
      --client-id example-app \
      --client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \
      --cookie-secret foo \
      --email-domain '*' \
      --http-address http://127.0.0.1:5555 \
      --redirect-url http://127.0.0.1:5555/oauth2/callback \
      --cookie-secure=false

Login with the username/password "admin@example.com:password"
2017-09-08 09:32:51 -07:00
Hans Kristian Flaatten
94574df274 Clarify that GitHub team slug name should be used for the -github-team option 2017-09-05 22:58:53 +02:00
Jehiah Czebotar
b1e29c329b Merge pull request #407 from segmentio/sign-in-redirect
nginx auth_request: fix -skip-provider-button
2017-08-28 20:57:09 -04:00
Jehiah Czebotar
678290035c Merge pull request #410 from sobolevn/patch-1
Updates README.md with svg badge
2017-08-28 20:50:07 -04:00
Jehiah Czebotar
01ef8162a8 Merge pull request #422 from arnottcr/strip-all-tokens
strip all tokens
2017-08-28 20:48:43 -04:00
Jehiah Czebotar
23cef89236 Merge pull request #431 from ploxiln/nil_upstream_url
gracefully report un-parsed upstream URL
2017-08-28 20:46:30 -04:00
Jehiah Czebotar
11bdcc96c5 Merge pull request #426 from bluecmd/patch-4
Remove check for >0 upstreams
2017-08-28 20:45:26 -04:00
Jehiah Czebotar
79fff53531 Merge pull request #425 from bluecmd/patch-3
Update cookie generation to match base64 encoding
2017-08-28 20:44:49 -04:00
Pierce Lopez
3d8b59ef71 options: wrap missing-email-validation error message 2017-08-05 12:55:42 -04:00
Pierce Lopez
e9bbecface options: gracefully report un-parsed upstream URL
upstreamURL is a nil pointer if there is an error parsing --upstream
2017-08-05 12:55:15 -04:00
Christian Svensson
0b117133b9 Remove check for >0 upstreams
When used solely for auth_request there is no upstream.
Instead of forcing users to set a dummy upstream, remove
the check.
2017-07-20 21:54:31 +02:00
Christian Svensson
f4321c4b45 Update cookie generation to match base64 encoding
Current code is using URLEncoding but example was using the
standard RFC 4648 encoding. Switch to using the URL
encoding in the example as well.
2017-07-20 13:28:41 +02:00
Colin Arnott
ba67e5c847
strip all log statements with the endpoint var 2017-07-13 18:33:48 +00:00
Colin Arnott
8d6e16bf22
use base64.RawURLEncoding.DecodeString() in place of a bespoke function 2017-07-13 18:29:58 +00:00
Nikita Sobolev
e6e60c4b60 Updates README.md with svg badge 2017-06-29 09:36:31 +03:00