Commit Graph

77 Commits

Author SHA1 Message Date
Joel Speed
0af18d6d7c
Merge pull request #141 from openai/googleGroupEmail
Check google group membership based on email address
2019-06-15 14:05:56 +02:00
Joel Speed
77e1fff753
Merge pull request #185 from jonas/check-against-validate-url-string
Only validate tokens if ValidateURL resolves to a non-empty string
2019-06-15 12:30:03 +02:00
Adam Eijdenberg
d69560d020 No need for case when only 2 conditions 2019-06-15 18:48:27 +10:00
Jonas Fonseca
7a8fb58ad1
Only validate tokens if ValidateURL resolves to a non-empty string
Fix an unsupported protocol scheme error when validating tokens by
ensuring that the ValidateURL generates a non-empty string. The Azure
provider doesn't define any ValidateURL and therefore uses the default
value of `url.Parse("")` which is not `nil`.

The following log summary shows the issue:

    2019/06/14 12:26:04 oauthproxy.go:799: 10.244.1.3:34112 ("10.244.1.1") refreshing 16h26m29s old session cookie for Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true} (refresh after 1h0m0s)
    2019/06/14 12:26:04 internal_util.go:60: GET ?access_token=eyJ0...
    2019/06/14 12:26:04 internal_util.go:61: token validation request failed: Get ?access_token=eyJ0...: unsupported protocol scheme ""
    2019/06/14 12:26:04 oauthproxy.go:822: 10.244.1.3:34112 ("10.244.1.1") removing session. error validating Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true}
2019-06-14 12:52:22 -04:00
Joel Speed
78feaec6fa
Merge branch 'master' into bumpoidc 2019-06-06 17:38:19 +01:00
Brian Van Klaveren
405f9b3bb0 Update CHANGELOG with descriptions about redis support
Add updates from master
2019-06-05 00:12:11 -07:00
Brian Van Klaveren
fc06e2dbef Update documentation and changelog for redis store 2019-06-05 00:11:42 -07:00
Adam Eijdenberg
b6c60f52ee Bump go-oidc 2019-06-04 10:58:35 +10:00
Joel Speed
1355c1ce30
Merge pull request #170 from zeha/release-tarballs-as-before
Make release tarballs look like bitly's
2019-06-03 16:23:30 +01:00
Joel Speed
f0b6f1525b
Update changelog 2019-06-03 14:59:56 +01:00
Chris Hofstaedtler
076484297e Make release tarballs look like bitly's
Fixes #162
2019-05-31 14:46:54 +02:00
Karl Skewes
d3f0cb43ca Update Alpine to 3.9 2019-05-31 18:54:20 +12:00
Joel Speed
d40a61613e
Update Changelog 2019-05-20 11:39:41 +02:00
Joel Speed
72fd3b96a6
Update changelog 2019-05-18 13:10:59 +02:00
Icelyn Jennings
5d7d0c4b4b
Shorten README.md (#154)
* Update README.md

* Add changelog entry

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
2019-05-10 12:25:05 +01:00
Phil Taprogge
d4341ec40c
Add breaking changes section to changelog 2019-05-09 10:26:40 +01:00
Phil Taprogge
39d2f28a40
Add comment; update changelog 2019-05-09 10:14:01 +01:00
Phil Taprogge
8b06d255f7
Merge branch 'master' into goversion 2019-05-03 12:37:15 +01:00
Karl Skewes
8fca58cf49 build: use go 1.12 for arm as well 2019-05-03 22:01:36 +12:00
Karl Skewes
308bcc06a4 fix Docker user on arm
Use simple USER directive.
Using `addgroup` in final `arm` image when building on amd64 doesn't work.
I must have made a mistake during cross build verification.

Alternative is to use qemu-static but it's not worth it for this.
2019-05-03 20:54:21 +12:00
Benjamin Chess
3f2fab10e6 check google group based on email address 2019-05-02 17:11:25 -07:00
Mister Wil
72da47509f
Update CHANGELOG.md 2019-04-23 09:22:46 -07:00
Mister Wil
88c518885c
Merge branch 'master' into enhanced_logging 2019-04-16 06:53:45 -07:00
timothy-spencer
1ae62a3343
added jwt-key-file option, update docs 2019-04-15 09:49:05 -07:00
MisterWil
79bcfebb77 Final conflicts 2019-04-12 09:53:07 -07:00
MisterWil
40ba565975 Requested changes 2019-04-12 09:48:21 -07:00
MisterWil
562db1e2da Updated changelog 2019-04-12 09:00:54 -07:00
Joel Speed
6545a33f93
Update changelog for release v3.2.0 2019-04-12 11:23:14 +01:00
Dan Bond
bf9fedb3cf
build: use go 1.12 (#124)
* build: use go 1.12

* Update CHANGELOG.md
2019-04-12 11:15:29 +01:00
Joel Speed
d00e3bddf5
Merge branch 'master' into verified 2019-04-11 13:49:56 +01:00
Joel Speed
3f4420fd58
Merge pull request #120 from costelmoraru/session_state_email
Encrypting user/email from cookie
2019-04-10 13:57:56 +01:00
Costel Moraru
f5f64e7d6c Update the changelog 2019-04-10 00:42:17 +03:00
Costel Moraru
6da6ee7f84 Encrypting user/email from cookie, add changelog 2019-04-09 15:00:17 +03:00
Tim Spencer
189bda3781
Merge branch 'master' into gcphealthcheck 2019-03-25 09:57:52 -07:00
gyson
b67614c90f Update CHANGELOG.md 2019-03-22 17:41:55 -04:00
timothy-spencer
e9f36fa4b5
added the PR to the changelog 2019-03-20 14:44:01 -07:00
Carlos Alexandro Becker
95ee4358b2
Merge remote-tracking branch 'upstream/master' into verified 2019-03-20 13:46:04 -03:00
YAEGASHI Takeshi
2070fae47c Use encoding/json for SessionState serialization (#63)
* Use encoding/json for SessionState serialization

In order to make it easier to extend in future.

* Store only email and user in cookie when cipher is unavailable

This improves safety and robustness, and also preserves the existing
behaviour.

* Add TestEncodeSessionState/TestDecodeSessionState

Use the test vectors with JSON encoding just introduced.

* Support session state encoding in older versions

* Add test cases for legacy session state strings

* Add check for wrong expiration time in session state strings

* Avoid exposing time.Time zero value when encoding session state string

* Update CHANGELOG.md
2019-03-20 13:59:24 +00:00
Tim Spencer
8cc5fbf859 add login.gov provider (#55)
* first stab at login.gov provider

* fixing bugs now that I think I understand things better

* fixing up dependencies

* remove some debug stuff

* Fixing all dependencies to point at my fork

* forgot to hit save on the github rehome here

* adding options for setting keys and so on, use JWT workflow instead of PKCE

* forgot comma

* was too aggressive with search/replace

* need JWTKey to be byte array

* removed custom refresh stuff

* do our own custom jwt claim and store it in the normal session store

* golang json types are strange

* I have much to learn about golang

* fix time and signing key

* add http lib

* fixed claims up since we don't need custom claims

* add libs

* forgot ioutil

* forgot ioutil

* moved back to pusher location

* changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov

* update dependencies

* do JWTs properly

* finished oidc flow, fixed up tests to work better

* updated comments, added test that we set expiresOn properly

* got confused with header and post vs get

* clean up debug and test dir

* add login.gov to README, remove references to my repo

* forgot to remove un-needed code

* can use sample_key* instead of generating your own

* updated changelog

* apparently golint wants comments like this

* linter wants non-standard libs in a separate grouping

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* Update options.go

Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov>

* remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback

* github doesn't seem to do gofmt when merging.  :-)

* update CODEOWNERS

* check the nonce

* validate the JWT fully

* forgot to add pubjwk-url to README

* unexport the struct

* fix up the err masking that travis found

* update nonce comment by request of @JoelSpeed

* argh.  Thought I'd formatted the merge properly, but apparently not.

* fixed test to not fail if the query time was greater than zero
2019-03-20 13:44:51 +00:00
einfachchr
f715c9371b Fixes deletion of splitted cookies - Issue #69 (#70)
* fixes deletion of splitted cookies

* three minor adjustments to improve the tests

* changed cookie name matching to regex

* Update oauthproxy.go

Co-Authored-By: einfachchr <einfachchr@gmail.com>

* removed unused variable

* Changelog
2019-03-15 07:18:37 +00:00
Carlos Alexandro Becker
58b8bbe491
fix: changelog 2019-03-11 14:55:02 -03:00
Adam Szalkowski
c7193b4085 Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com> 2019-03-11 14:05:16 +01:00
Aigars Mahinovs
4e6593bc60 Update changelog for pull request #57 2019-03-08 13:41:15 +01:00
Joel Speed
84d7c51bb6
Merge pull request #85 from kskewes/dockernoroot
Use non-root user in docker images
2019-03-05 20:32:39 +00:00
Joel Speed
bfccc1f261
Update CHANGELOG.md
Co-Authored-By: kskewes <karl.skewes@gmail.com>
2019-03-05 11:42:11 -08:00
dt-rush
549766666e fix redirect url param handling (#10)
* Added conditional to prevent user-supplied redirect URL getting
clobbered

Change-type: patch

* use redirectURL as OAuthCallbackURL (as it should be!)

Change-type: patch
2019-03-05 14:58:26 +00:00
Gabor Lekeny
eacba4ec7d Add id_token refresh to Google provider (#83) 2019-03-05 14:07:10 +00:00
Karl Skewes
80b5873a26 Potentially breaking change: docker user & group
Run as non-root user and group

In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.

Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users.
An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required.

Least access privileges.
Close: https://github.com/pusher/oauth2_proxy/issues/78

Locally with Docker (`-version`):
```
$ ps aux | grep oauth2
2000     25192  6.0  0.0      0     0 ?        Ds   15:53   0:00 [oauth2_proxy]
```

Running in Kubernetes 1.13 with the following also specified:
```
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 10001
```
```
$ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh
/opt $ whoami
whoami: unknown uid 10001
/opt $ ps aux
PID   USER     TIME  COMMAND
    1 10001     0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180
   11 10001     0:00 sh
   17 10001     0:00 ps aux
```

<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->

- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
2019-03-05 21:37:04 +13:00
Marcel D. Juhnke
8816a2a972 Add -skip-oidc-discovery option (#41)
* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added karrieretutor go-oidc fork for using an AAD B2C Policy

* added --skip-oidc-discovery option

* added --skip-oidc-discovery option

* add simple test for skip-oidc-discovery option

* revert Dockerfile to pusher upstream

* revert Dockerfile to pusher upstream

* remove karrieretutor b2c option leftover

* remove karrieretutor b2c option leftover

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* Fix typo (missing letters)

Co-Authored-By: marratj <marrat@marrat.de>

* replace fake http client with NewProvider() from go-oidc

* remove OIDC UserInfo URL option (not required)

* add info about -skip-oidc-discovery to README

* add note to changelog

* Update outdated comment
2019-03-04 13:54:22 +00:00
MisterWil
45742d326d Merge remote-tracking branch 'origin/master' into enhanced_logging 2019-02-26 08:27:06 -08:00