Run as non-root user and group In the unlikely event that you are currently persisting data to disk then this change may break file read/write access due to a change in the UID/GID that the oauth2_proxy process runs as. Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users. An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required. Least access privileges. Close: https://github.com/pusher/oauth2_proxy/issues/78 Locally with Docker (`-version`): ``` $ ps aux | grep oauth2 2000 25192 6.0 0.0 0 0 ? Ds 15:53 0:00 [oauth2_proxy] ``` Running in Kubernetes 1.13 with the following also specified: ``` securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 10001 ``` ``` $ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh /opt $ whoami whoami: unknown uid 10001 /opt $ ps aux PID USER TIME COMMAND 1 10001 0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180 11 10001 0:00 sh 17 10001 0:00 ps aux ``` <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] My change requires a change to the documentation or CHANGELOG. - [x] I have updated the documentation/CHANGELOG accordingly. - [x] I have created a feature (non-master) branch for my PR.
3.6 KiB
3.6 KiB
Vx.x.x (Pre-release)
Changes since v3.1.0
- #85 Potentially breaking change: docker user & group (@kskewes)
- #68 forward X-Auth-Access-Token header (@davidholsgrove)
v3.1.0
Release highlights
- Introduction of ARM releases and and general improvements to Docker builds
- Improvements to OIDC provider allowing pass-through of ID Tokens
- Multiple redirect domains can now be whitelisted
- Streamed responses are now flushed periodically
Important notes
- If you have been using #bitly/621
and have cookies larger than the 4kb limit,
the cookie splitting pattern has changed and now uses
_
in place of-
when indexing cookies. This will force users to reauthenticate the first time they usev3.1.0
. - Streamed responses will now be flushed every 1 second by default.
Previously streamed responses were flushed only when the buffer was full.
To retain the old behaviour set
--flush-interval=0
. See #23 for further details.
Changes since v3.0.0
- #14 OIDC ID Token, Authorization Headers, Refreshing and Verification (@joelspeed)
- Implement
pass-authorization-header
andset-authorization-header
flags - Implement token refreshing in OIDC provider
- Split cookies larger than 4k limit into multiple cookies
- Implement token validation in OIDC provider
- Implement
- #15 WhitelistDomains (@joelspeed)
- Add
--whitelist-domain
flag to allow redirection to approved domains after OAuth flow
- Add
- #21 Docker Improvement (@yaegashi)
- Move Docker base image from debian to alpine
- Install ca-certificates in docker image
- #23 Flushed streaming responses
- Long-running upstream responses will get flushed every (1 second by default)
- #24 Redirect fix (@agentgonzo)
- After a successful login, you will be redirected to your original URL rather than /
- #35 arm and arm64 binary releases (@kskewes)
- Add armv6 and arm64 to Makefile
release
target
- Add armv6 and arm64 to Makefile
- #37 cross build arm and arm64 docker images (@kskewes)
v3.0.0
Adoption of OAuth2_Proxy by Pusher. Project was hard forked and tidied however no logical changes have occurred since v2.2 as released by Bitly.
Changes since v2.2:
- #7 Migration to Pusher (@joelspeed)
- Move automated build to debian base image
- Add Makefile
- Update CI to run
make test
- Update Dockerfile to use
make clean oauth2_proxy
- Update
VERSION
parameter to be set byldflags
from Git Status - Remove lint and test scripts
- Update CI to run
- Remove Go v1.8.x from Travis CI testing
- Add CODEOWNERS file
- Add CONTRIBUTING guide
- Add Issue and Pull Request templates
- Add Dockerfile
- Fix fsnotify import
- Update README to reflect new repository ownership
- Update CI scripts to separate linting and testing
- Now using
gometalinter
for linting
- Now using
- Move Go import path from
github.com/bitly/oauth2_proxy
togithub.com/pusher/oauth2_proxy
- Repository forked on 27/11/18
- README updated to include note that this repository is forked
- CHANGLOG created to track changes to repository from original fork