Commit Graph

141 Commits

Author SHA1 Message Date
Benjamin Staffin
faf49ee4e3 Fix redirects on /sign_in when -skip-provider-button is set
Push the logic down a level: now the dispatch happens in SignInPage,
where the correct redirect URI is known.

Fixes #30, hopefully
2019-06-15 14:33:22 -04:00
Adam Eijdenberg
d69560d020 No need for case when only 2 conditions 2019-06-15 18:48:27 +10:00
Adam Eijdenberg
f35c82bb0f The AuthOnly path also needs the response headers set 2019-06-07 14:25:12 +10:00
Adam Eijdenberg
9e59b4f62e Restructure so that serving data from upstream is only done when explicity allowed, rather
than as implicit dangling else
2019-06-07 13:50:44 +10:00
Joel Speed
093f9da881
Move cipher creation to options and away from oauth2_proxy.go 2019-05-20 11:26:13 +02:00
Joel Speed
37e31b5f09
Remove dead code 2019-05-20 11:26:11 +02:00
Joel Speed
c61f3a1c65
Use SessionStore for session in proxy 2019-05-20 11:26:10 +02:00
Joel Speed
fbee5eae16
Initialise SessionStore in Options 2019-05-20 11:26:04 +02:00
Joel Speed
2ab8a7d95d
Move SessionState to its own package 2019-05-18 13:09:56 +02:00
timothy-spencer
1a8bd70b46
fixing code redemption error string logging 2019-05-07 10:47:15 -07:00
Mister Wil
9eaa9fdcbf
Standardizing log messages to colons 2019-04-23 09:36:18 -07:00
MisterWil
d77119be55 Merging changes 2019-04-12 09:26:44 -07:00
MisterWil
c22731afa0 Fixed linting errors. 2019-04-12 08:59:46 -07:00
MisterWil
37c415b889 Self code review changes 2019-04-12 08:59:46 -07:00
MisterWil
8ec025f536 Auth and standard logging with file rolling 2019-04-12 08:59:46 -07:00
Costel Moraru
071d17b521 Expose -cookie-path as configuration parameter 2019-04-10 00:36:35 +03:00
gyson
978c0a33e4 Improve websocket support 2019-03-22 17:19:38 -04:00
Patrick Koenig
6f9eac5190
Set redirect URL path when host is present 2019-03-20 09:25:04 -07:00
einfachchr
f715c9371b Fixes deletion of splitted cookies - Issue #69 (#70)
* fixes deletion of splitted cookies

* three minor adjustments to improve the tests

* changed cookie name matching to regex

* Update oauthproxy.go

Co-Authored-By: einfachchr <einfachchr@gmail.com>

* removed unused variable

* Changelog
2019-03-15 07:18:37 +00:00
Joel Speed
e195a74e26
Revert OAuthCallbackPath 2019-03-12 16:46:37 +00:00
Adam Szalkowski
c7193b4085 Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com> 2019-03-11 14:05:16 +01:00
dt-rush
549766666e fix redirect url param handling (#10)
* Added conditional to prevent user-supplied redirect URL getting
clobbered

Change-type: patch

* use redirectURL as OAuthCallbackURL (as it should be!)

Change-type: patch
2019-03-05 14:58:26 +00:00
David Holsgrove
2280b42f59 Access token forwarding through nginx auth request (#68)
* Access token forwarding through nginx auth request

Related to #420.

(cherry picked from commit b138872bea)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Improved documentation for auth request token

(cherry picked from commit 6fab314f72)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Update README.md

Example should set header as `X-Access-Token`

Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>

* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68

* Fix Changelog message location
2019-02-22 07:49:57 +00:00
Joel Speed
fb13ee87c8
Merge pull request #34 from marratj/cookie-separator
Change cookie index separator to underscore
2019-02-03 13:21:51 +00:00
Joel Speed
fa2545636b
Merge pull request #15 from pusher/whitelist-domains
Whitelist domains
2019-02-02 18:55:37 +00:00
Marcel Juhnke
a339baf94e change cookie index separator to underscore 2019-01-31 20:07:28 +01:00
Cosmin Cojocar
3326194422 Extract the application/json mime type into a const 2019-01-31 16:23:01 +01:00
Cosmin Cojocar
c12db0ebf7 Returns HTTP unauthorized for ajax requests instead of redirecting to the sing-in page 2019-01-31 16:23:01 +01:00
Steve Arch
01c5f5ae3b Implemented flushing interval (#23)
* Implemented flushing interval

When proxying streaming responses, it would not flush the response writer buffer until some seemingly random point (maybe the number of bytes?). This makes it flush every 1 second by default, but with a configurable interval.

* flushing CHANGELOG

* gofmt and goimports
2019-01-31 14:02:15 +00:00
Joel Speed
bc4d5941fc
Remove duplicated logic 2019-01-30 17:30:48 +00:00
Joel Speed
2a1691a994
Add whitelist domains flag 2019-01-30 17:30:40 +00:00
Steve Arch
090ff11923 redirect to original path after login (#24)
* redirect to original path after login

* tests for new redirect behaviour

* fixed comment

* added redirect fix to changelog
2019-01-29 12:13:02 +00:00
Joel Speed
714e2bdfba
Fix cookie split should account for cookie name 2019-01-22 11:34:55 +00:00
Joel Speed
d4b588dbe9
Split large cookies 2019-01-22 11:34:54 +00:00
Joel Speed
68d4164897
Add Authorization header flags 2019-01-22 11:34:23 +00:00
Joel Speed
d37cc2889e
Fix err declaration shadowing 2018-12-20 10:46:19 +00:00
Joel Speed
ee913fb788
Add comments to exported methods for root package 2018-12-20 09:30:42 +00:00
Joel Speed
8ee802d4e5
Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00
Joel Speed
847cf25228
Move imports from bitly to pusher 2018-11-27 11:45:05 +00:00
Pierce Lopez
74d0fbc868 more robust ClearSessionCookie()
default domain changed from request Host to blank, recently
try to clear cookies for both
2017-12-18 21:16:51 -05:00
Carlo Lobrano
731fa9f8e0 Github provider: use login as user
- Save both user and email in session state:
    Encoding/decoding methods save both email and user
    field in session state, for use cases when User is not derived from
    email's local-parth, like for GitHub provider.

    For retrocompatibility, if no user is obtained by the provider,
    (e.g. User is an empty string) the encoding/decoding methods fall back
    to the previous behavior and use the email's local-part

    Updated also related tests and added two more tests to show behavior
    when session contains a non-empty user value.

- Added first basic GitHub provider tests

- Added GetUserName method to Provider interface
    The new GetUserName method is intended to return the User
    value when this is not the email's local-part.

    Added also the default implementation to provider_default.go

- Added call to GetUserName in redeemCode

    the new GetUserName method is used in redeemCode
    to get SessionState User value.

    For backward compatibility, if GetUserName error is
    "not implemented", the error is ignored.

- Added GetUserName method and tests to github provider.
2017-11-20 20:02:27 +01:00
Mike Bland
e241fe86d3
Switch from 18F/hmacauth to mbland/hmacauth
Since I'm no longer with 18F, I've re-released hmacauth under the ISC
license as opposed to the previous CC0 license. There have been no
changes to the hmacauth code itself, and all tests still pass.
2017-11-07 07:55:24 -05:00
Jehiah Czebotar
bfda078caa Merge pull request #376 from reedloden/make-cookie-domain-optional
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
2017-10-23 14:14:45 -04:00
Alan Braithwaite
b640a69d63 oauthproxy: fix #284 -skip-provider-button for /sign_in route 2017-06-21 15:05:36 -07:00
Reed Loden
b6bd878f27 Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies
if the `__Host-` prefix is used
(https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2).

There's no need to set it to the host by default, so make it optional. If it is
set to a non-empty value, still output a warning if it is not a suffix of the
host, as that's likely not wanted.

Fixes #352.
2017-04-24 13:03:40 -07:00
idntfy
1e7d2a08a3 #369: Optionally allow skipping authentication for preflight requests 2017-04-07 15:01:47 +03:00
Sjoerd Mulder
90a22b2f39 Use X-Auth-Request-Redirect request header in sign-in page
This is useful in Nginx auth_request mode, if a 401 handler is
configured to redirect to the sign-in page. As the request URL
does not reflect the actual URL, the value is taken from the
header "X-Auth-Request-Redirect" instead. Based on #247
2017-03-29 21:28:55 +05:30
Lukasz Siudut
829b442302 add --set-xauthrequest flag for use in Nginx auth_request mode
This is enhancement of #173 to use "Auth Request" consistently in
the command-line option, configuration file and response headers.
It always sets the X-Auth-Request-User response header and if the
email is available, sets X-Auth-Request-Email as well.
2017-03-29 21:28:55 +05:30
Jehiah Czebotar
c5fc7baa86 gofmt 2017-03-29 09:36:38 -04:00
Colin Arnott
55085d9697 csrf protection; always set state 2017-03-29 09:31:10 -04:00