public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge 4dabaeb272 into 9168731c7a

This commit is contained in:
Jan Larwig 2025-10-04 14:53:13 +00:00 committed by GitHub
parent 9168731c7a 4dabaeb272
commit 63b7e0453f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 726 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
.github/CODEOWNERS vendored
View File

@ -1,5 +1,31 @@
# Default owner should be a core org reviewers unless overridden by later rules in this file
* @oauth2-proxy/reviewers
# OAuth2-Proxy CODEOWNERS
# This file maps repository paths to GitHub teams for review.
# Syntax: https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
# --- Core Maintainers (project-wide) ---
* @oauth2-proxy/maintainers
# --- Core ---
* @oauth2-proxy/core-reviewers
# --- Documentation ---
docs/ @oauth2-proxy/documentation-reviewers
# --- CI / Testing ---
.devcontainer/ @oauth2-proxy/ci-reviewers
.github/ @oauth2-proxy/ci-reviewers
.vscode/ @oauth2-proxy/ci-reviewers
contrib/ @oauth2-proxy/ci-reviewers
go.mod @oauth2-proxy/ci-reviewers
go.sum @oauth2-proxy/ci-reviewers
# --- Configuration / API ---
contrib/ @oauth2-proxy/api-reviewers
pkg/apis/ @oauth2-proxy/api-reviewers
# --- Provider ---
providers/ @oauth2-proxy/provider-reviewers
# login.gov provider
# Note: If @timothy-spencer terms out of his appointment, your best bet
@ -7,17 +33,4 @@
# in the login.gov team (https://login.gov/developers/), the cloud.gov team
# (https://cloud.gov/docs/help/), or the 18F org (https://18f.gsa.gov/contact/
# or the public devops channel at https://chat.18f.gov/).
providers/logingov.go @timothy-spencer
providers/logingov_test.go @timothy-spencer
# Bitbucket provider
providers/bitbucket.go @aledeganopix4d
providers/bitbucket_test.go @aledeganopix4d
# Nextcloud provider
providers/nextcloud.go @Ramblurr
providers/nextcloud_test.go @Ramblurr
# DigitalOcean provider
providers/digitalocean.go @kamaln7
providers/digitalocean_test.go @kamaln7
providers/logingov.* @oauth2-proxy/provider-login-gov-reviewers

71
.github/workflows/ossf-scorecard.yml vendored Normal file
View File

@ -0,0 +1,71 @@
name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: "26 12 * * 1"
push:
branches: ["master"]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
# `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
steps:
- name: "Checkout code"
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true
# (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
# file_mode: git
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif

186
CODE_OF_CONDUCT.md
View File

@ -1,134 +1,112 @@
# Contributor Covenant Code of Conduct
## CNCF Community Code of Conduct v1.3
## Our Pledge
Other languages available:
- [Arabic/العربية](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/ar.md)
- [Bengali/বাংলা](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/bn.md)
- [Bulgarian/Български](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/bg.md)
- [Chinese/中文](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/zh.md)
- [Czech/Česky](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/cs.md)
- [Farsi/فارسی](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/fa.md)
- [French/Français](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/fr.md)
- [German/Deutsch](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/de.md)
- [Hebrew/עברית](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/he.md)
- [Hindi/हिन्दी](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/hi.md)
- [Hungarian/Magyar](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/hu.md)
- [Indonesian/Bahasa Indonesia](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/id.md)
- [Italian/Italiano](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/it.md)
- [Japanese/日本語](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/ja.md)
- [Korean/한국어](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/ko.md)
- [Polish/Polski](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/pl.md)
- [Portuguese/Português](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/pt.md)
- [Russian/Русский](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/ru.md)
- [Spanish/Español](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/es.md)
- [Turkish/Türkçe](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/tr.md)
- [Ukrainian/Українська](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/uk.md)
- [Vietnamese/Tiếng Việt](https://github.com/cncf/foundation/blob/main/code-of-conduct-languages/vi.md)
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, caste, color, religion, or sexual
identity and orientation.
### Community Code of Conduct
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
As contributors, maintainers, and participants in the CNCF community, and in the interest of fostering
an open and welcoming community, we pledge to respect all people who participate or contribute
through reporting issues, posting feature requests, updating documentation,
submitting pull requests or patches, attending conferences or events, or engaging in other community or project activities.
We are committed to making participation in the CNCF community a harassment-free experience for everyone, regardless of age, body size, caste, disability, ethnicity, level of experience, family status, gender, gender identity and expression, marital status, military or veteran status, nationality, personal appearance, race, religion, sexual orientation, socioeconomic status, tribe, or any other dimension of diversity.
## Scope
This code of conduct applies:
* within project and community spaces,
* in other spaces when an individual CNCF community participant's words or actions are directed at or are about a CNCF project, the CNCF community, or another CNCF community participant in the context of a CNCF activity.
### CNCF Events
CNCF events that are produced by the Linux Foundation with professional events staff are governed by the Linux Foundation [Events Code of Conduct](https://events.linuxfoundation.org/code-of-conduct/) available on the event page. This is designed to be used in conjunction with the CNCF Code of Conduct.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
The CNCF Community is open, inclusive and respectful. Every member of our community has the right to have their identity respected.
Examples of behavior that contributes to a positive environment include but are not limited to:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the overall
community
* Focusing on what is best not just for us as individuals, but for the
overall community
* Using welcoming and inclusive language
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or advances of
any kind
Examples of unacceptable behavior include but are not limited to:
* The use of sexualized language or imagery
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email address,
without their explicit permission
* Public or private harassment in any form
* Publishing others' private information, such as a physical or email
address, without their explicit permission
* Violence, threatening violence, or encouraging others to engage in violent behavior
* Stalking or following someone without their consent
* Unwelcome physical contact
* Unwelcome sexual or romantic attention or advances
* Using CNCF projects or community spaces for political campaigning or promotion of political causes
that are unrelated to the advancement of cloud native technology. To clarify, this policy does not restrict individuals' personal attire, including attire that expresses personal beliefs or aspects of identity.
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
The following behaviors are also prohibited:
* Providing knowingly false or misleading information in connection with a Code of Conduct investigation or otherwise intentionally tampering with an investigation.
* Retaliating against a person because they reported an incident or provided information about an incident as a witness.
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct.
By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect
of managing a CNCF project.
Project maintainers who do not follow or enforce the Code of Conduct may be temporarily or permanently removed from the project team.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Reporting
## Scope
For incidents occurring in the Kubernetes community, contact the [Kubernetes Code of Conduct Committee](https://git.k8s.io/community/committee-code-of-conduct) via <conduct@kubernetes.io>. You can expect a response within three business days.
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official email address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
For other projects, or for incidents that are project-agnostic or impact multiple CNCF projects, please contact the [CNCF Code of Conduct Committee](https://www.cncf.io/conduct/committee/) via <conduct@cncf.io>. Alternatively, you can contact any of the individual members of the [CNCF Code of Conduct Committee](https://www.cncf.io/conduct/committee/) to submit your report. For more detailed instructions on how to submit a report, including how to submit a report anonymously, please see our [Incident Resolution Procedures](https://github.com/cncf/foundation/blob/main/code-of-conduct/coc-incident-resolution-procedures.md). You can expect a response within three business days.
For incidents occurring at CNCF event that is produced by the Linux Foundation, please contact <eventconduct@cncf.io>.
## Frequently asked questions
For more information about this Code of Conduct, please see the [CNCF Code of Conduct Frequently Asked Questions](https://www.cncf.io/conduct/faq/).
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
https://gophers.slack.com/messages/CM2RSS25N or directly contacting one of the
maintainers from the MAINTAINERS file.
All complaints will be reviewed and investigated promptly and fairly.
Upon review and investigation of a reported incident, the CoC response team that has jurisdiction will determine what action is appropriate based on this Code of Conduct and its related documentation.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
For information about which Code of Conduct incidents are handled by project leadership, which incidents are handled by the CNCF Code of Conduct Committee, and which incidents are handled by the Linux Foundation (including its events team), see our [Jurisdiction Policy](https://github.com/cncf/foundation/blob/main/code-of-conduct/coc-committee-jurisdiction-policy.md).
## Enforcement Guidelines
## Amendments
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
Consistent with the CNCF Charter, any substantive changes to this Code of Conduct must be approved by the Technical Oversight Committee.
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series of
actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or permanent
ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within the
community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.1, available at
[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
Community Impact Guidelines were inspired by
[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
For answers to common questions about this code of conduct, see the FAQ at
[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
[https://www.contributor-covenant.org/translations][translations].
[homepage]: https://www.contributor-covenant.org
[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
[Mozilla CoC]: https://github.com/mozilla/diversity
[FAQ]: https://www.contributor-covenant.org/faq
[translations]: https://www.contributor-covenant.org/translations
## Acknowledgements
This Code of Conduct is adapted from the Contributor Covenant
(http://contributor-covenant.org), version 2.0 available at
http://contributor-covenant.org/version/2/0/code_of_conduct/

268
CONTRIBUTOR_LADDER.md Normal file
View File

@ -0,0 +1,268 @@
# OAuth2-Proxy Contributor Ladder
This document defines the roles, responsibilities, advancement criteria,
inactivity process, and interim role policies for OAuth2-Proxy contributors.
It extends the standard Kubernetes-style ladder with **specialty tracks** so
contributors can grow within their focus areas.
---
## Roles
### 1) Contributor
Anyone making contributions of any kind (code, docs, tests, CI configs, security
reports, reviews, triage, discussions).
**Requirements**
- For code changes all commits need to be Signed-Off by you. This is enforced
through the [DCO GitHub App](https://github.com/apps/dco)
- Follow the OAuth2-Proxy/CNCF [Code of Conduct](CODE_OF_CONDUCT.md)
**Privileges**
- Recognized as an active community member
- Eligible for nomination to **Member**
---
### 2) Member
Regular contributors engaged with the project for at least **3 months**.
**Requirements**
- Self nomination by the contributor via a GitHub Issue.
- Must be Sponsored/Approved by **two Core Maintainers** (sponsorship ask must
happen within the GitHub issue by tagging the sponsors).
- Substantive contributions (code, docs, tests, reviews, triage) in the last
3 months.
**Privileges**
- Added to the GitHub `members` team.
- Can be assigned issues and PRs.
- Eligible for **Reviewer** nomination.
---
### 3) Reviewer (per Specialty)
Experienced contributors who review changes in **one or more specialties**.
**Requirements**
- Member for at least **3 months**.
- Regular, high-quality reviews in the specialty.
- Several meaningful Issue or PR reviews over the last 3 months.
**Privileges**
- Listed as `reviewer` in the relevant `OWNERS` files.
- May use `/lgtm` on PRs within the specialty.
- Eligible for **Maintainer** nomination.
> A contributor may hold different roles across specialties
(e.g., **Reviewer** in Provider Integrations, **Member** in Core Proxy).
---
### 4) Maintainer (Project-Wide)
Project leaders with governance, release, and cross-specialty responsibility.
**Requirements**
- Reviewer for at least **6 months** in one or more specialties.
- Demonstrated leadership, reliability, and constructive collaboration.
- Nominated and approved by a **simple majority** of Maintainers.
**Privileges**
- GitHub admin rights as needed.
- Release management authority.
- Representation within CNCF.
---
## Specialty Tracks
Specialties define scope for `reviewer` permissions and expectations.
### Core Proxy
Focus: Main proxy functionality, request handling, session management,
authentication flow, and security implementation.
**Key Responsibilities:**
- Review core proxy changes in files like `oauthproxy.go`, `main.go`, and `validator.go`
- Ensure adherence to [OAuth 2.0 Authorization Framework](https://tools.ietf.org/html/rfc6749)
and [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html) specifications
- Validate security implementations, including session management, token
validation, and secure cookie handling
- Review authentication and authorization flow implementations
- Ensure proper handling of edge cases and security vulnerabilities
### Provider Integrations
Focus: OAuth/OIDC provider integrations in the `providers/` directory.
**Key Responsibilities:**
- Review provider-specific code changes in the `providers/` directory
- Ensure conformance to OAuth/OIDC standards and provider-specific requirements
- Coordinate breaking changes for provider implementations
- Review provider configuration documentation
- Validate provider test implementations
### Configuration / API
Focus: Configuration options, API changes, and example configurations.
**Key Responsibilities:**
- Review configuration-related code and documentation
- Ensure backward compatibility of configuration options
- Review example configurations in the `contrib/` directory
- Validate CLI argument parsing and validation
### Helm Chart & Kubernetes
Focus: Helm chart in the separate `oauth2-proxy/manifests` repository and
Kubernetes deployment configurations.
**Key Responsibilities:**
- Review Helm chart templates and values
- Ensure Kubernetes best practices in deployment configurations
- Validate Helm chart testing and CI integration
- Review Kubernetes-related documentation
### Documentation
Focus: Documentation in the `docs/` directory, including configuration guides,
provider documentation, and tutorials.
**Key Responsibilities:**
- Review documentation changes for accuracy and clarity
- Ensure documentation is kept in sync with code changes
- Review provider-specific documentation
- Validate example configurations and tutorials
- Review versioning and release documentation
### CI / Automation
Focus: Test implementations and CI/CD workflows across repositories.
**Key Responsibilities:**
- Review integration and E2E tests
- Ensure adequate test coverage for new features
- Review CI/CD workflows in `.github/workflows/`
- Validate test infrastructure and test data
- Review test automation and reporting
### Community
Focus: Community nurturing, issue triage, and user support.
**Key Responsibilities:**
- Help with issue triage and support requests
- Monitor community channels (Slack, GitHub Discussions)
- Organize community talks and events
- Promote OAuth2-Proxy in the community
- Create demos and tutorials for users
- Foster a welcoming environment for new contributors
---
### Specialty Advancement
Contributors can advance in multiple specialties simultaneously. For example:
- A contributor could be a **Reviewer** in Provider Integrations and a **Member** in Core Proxy
- A contributor could be a **Reviewer** in both Helm Chart & Kubernetes and Testing & CI
This allows contributors to focus on areas where they have expertise while still contributing to other parts of the project.
---
## Member Abuse
Abuse of project resources is a serious violation of our community standards and
will not be tolerated. This includes but is not limited to:
* Using project infrastructure for unauthorized activities.
* Misusing project funds or financial resources.
* Gaining unauthorized access to or damaging project infrastructure.
* Willingly engaging in activities that are against the Code of Conduct.
* Willingly introducing malware or viruses to the project's infrastructure or codebase.
* Any other activity that jeopardizes the project's resources, reputation, or community members.
### Procedure for Handling Abuse
1. **Immediate Revocation of Privileges**: If abuse is suspected, any maintainer
can immediately revoke the member's access to all project infrastructure and
resources to prevent further damage. This is a precautionary measure and not a
final judgment.
2. **Investigation**: The maintainers will conduct a private investigation to
gather all relevant facts and evidence. The accused member will be given an
opportunity to respond to the allegations.
3. **Decision**: Based on the investigation, the maintainers will determine if a
violation has occurred.
4. **Consequences**: If a violation is confirmed, consequences will be applied,
which may include:
- Permanent removal from the project.
- Reporting the user to GitHub and other relevant platforms.
- In cases of financial misuse or illegal activities, reporting to law
enforcement authorities.
All actions taken will be documented. The privacy of all individuals involved
will be respected throughout the process.
---
## Advancement Process
1. **Nomination** by an eligible community member (Member or Higher) via a GitHub issue.
2. **Sponsorship** by two role holders at the **target level or higher** (within the specialty where applicable).
3. **Review** of activity and behavior (quality, reliability, collaboration, responsiveness).
4. **Decision** by lazy consensus of the relevant group (or **simple majority** if contested).
---
## Inactivity
A **Reviewer** or **Maintainer** role holder may be considered inactive if they
have not actively contributed or performed general project responsibilities for
**six (6) consecutive months**.
### Measurement Sources
- GitHub activity: Merged PRs, PR reviews, issue triage/comments.
- Participation in community calls or asynchronous design discussions.
### Triggering Process
1. **Detection**
- Activity is reviewed at least quarterly by Maintainers or via automation.
- Any Maintainer may propose an inactivity review for a role holder.
2. **Notification**
- A public issue is opened in a `community`/`governance` space (or email if sensitive).
- The individual is tagged/emailed and given **30 days** to respond.
3. **Grace Period**
- If the contributor indicates intent to return, no change is made.
- If there is no response within the grace period, proceed.
4. **Decision**
- Demotion is decided by **lazy consensus** of Maintainers, or **simple majority** if contested.
5. **Scope**
- Demotion via inactivity fully removes the role holder from the organization.
6. **Documentation**
- Update `OWNERS`, GitHub teams, and governance records.
- Former Members may be listed as **Emeritus**.
### Reinstatement
A contributor can be reinstated at their previous level via the standard
advancement process. Prior history is considered favorably.
---
## Emeritus Status
Emeritus status recognizes former Maintainers, Reviewers, or Members who have
made substantial and lasting contributions to the OAuth2-Proxy project but are
stepping down from active responsibilities.
Emeritus status is honorary and does not confer any formal responsibilities or
authority.
### Purpose
* Honor and recognize long-term contributions.
* Preserve institutional knowledge and mentorship potential.
* Encourage continued engagement with the community without requiring full role responsibilities.
---
## Cross-References
- Project governance and decision-making: see [GOVERNANCE.md](GOVERNANCE.md)
- Specialty ownership: [CODEOWNERS](./.github/CODEOWNERS) files per directory

34
DCO.md Normal file
View File

@ -0,0 +1,34 @@
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.

170
GOVERNANCE.md Normal file
View File

@ -0,0 +1,170 @@
# OAuth2-Proxy Governance
This document defines the project governance for OAuth2-Proxy
## Overview
**OAuth2-Proxy** is a flexible, open-source tool that can act as either a
standalone reverse proxy or a middleware component integrated into existing
reverse proxy or load balancer setups. It provides a simple and secure way to
protect your web applications with OAuth2 / OIDC authentication. As a reverse
proxy, it intercepts requests to your application and redirects users to an
OAuth2 provider for authentication. As a middleware, it can be seamlessly
integrated into your existing infrastructure to handle authentication for
multiple applications.
OAuth2-Proxy supports a lot of OAuth2 as well as OIDC providers. Either through
a generic OIDC client or a specific implementation for Google, Microsoft Entra ID,
GitHub, login.gov and others. Through specialised provider implementations
oauth2-proxy can extract more details about the user like preferred usernames
and groups. Those details can then be forwarded as HTTP headers to your
upstream applications.
## Community Roles
- **Users**: Engineers and operators who deploy, configure, and maintain
OAuth2-Proxy in their environments. These are typically DevOps engineers,
SREs, or platform engineers who integrate OAuth2-Proxy with their
applications. End users who authenticate through OAuth2-Proxy typically do
not interact directly with OAuth2-Proxy
- **Contributors**: Anyone who makes contributions (code, docs, tests, reviews,
triage, discussions)
- **Reviewers / Maintainers**: Governance roles with defined responsibilities,
privileges, and promotion processes described in the [Contributor Ladder](CONTRIBUTOR_LADDER.md)
Maintainers are project leaders responsible for overall health, technical
direction, and release management.
---
## Maintainers
### Core Maintainers
Core Maintainers are a subset of Maintainers who have been with the project for
an extended period and have demonstrated consistent technical leadership and
commitment. They are responsible for major project decisions, including
governance changes and maintainer appointments.
### Expectations
Maintainers are expected to:
- Review pull requests, triage issues, and fix bugs in their areas of expertise
- Monitor community channels and help users and contributors
- Respond to time-sensitive security issues
- Follow the decision-making processes described in this document and in the
Contributor Ladder
If a maintainer cannot fulfill these duties, they should move to **Emeritus**
status. Maintainers may also be moved to Emeritus via the decision-making process.
### Adding or Removing Maintainers
- **Addition**: A candidate is nominated by an existing maintainer and elected
by a **simple majority** of current maintainers
- **Removal**: Removal requires a **simple majority** of current maintainers
- **Company voting**: Votes to nominate maintainers by contributors belonging
to the same employer count as **one** collective vote.
---
## Voting Eligibility
Voting rights vary by decision type:
| Decision Type | Eligible Voters |
|------------------------------------------------|----------------------------------------------|
| **Governance changes** | Core Maintainers |
| **Adding/removing Maintainers** | Core Maintainers |
| **Technical decisions within a specialty** | All Reviewers and Maintainers |
| **Project-wide technical direction** | All Maintainers |
| **Security incident decisions** | All Maintainers |
**Notes:**
- Company voting limits apply: maintainers/reviewers from the same declared
employer have **one** combined vote
- If maintainers/reviewers from the same declared employer cannot reach
consensus for their vote, that employer's vote is recorded as **abstain**
---
## Decision Making
OAuth2-Proxy strives for **consensus** via open discussion. When consensus
cannot be reached, any eligible voter may call a vote.
- **Simple Majority**: More than 50% of eligible voters in the group
- **Venues**: Votes may occur on GitHub, email, Slack, community meetings, or a
suitable voting service
- **Ballots**: "Agree/+1", "Disagree/-1", or "Abstain" (counts as no vote)
---
## Contributing Changes
The process of reviewing proposed changes differs depending on the size and
impact of the change.
### Minor Changes
A minor change is a bug fix, a smaller enhancement or a smaller addition to
existing features.
To propose a minor change, simply create an issue in our [Issue Tracker](https://github.com/oauth2-proxy/oauth2-proxy/issues) or directly create a pull request.
A maintainer will be responsible for ultimately approving the pull request. The
maintainer may do a deep review of the pull request or delegate to an expert in
the corresponding area.
If the change has a bigger impact it has to follow the process for larger
changes.
### Larger Changes
For larger changes all maintainers and contributors should have a chance of
reviewing the change. Therefore larger changes require an RFC to be created
through the [Issue Tracker](https://github.com/oauth2-proxy/oauth2-proxy/issues).
If there are any objections to the change they can in most cases be resolved
through discussions in the corresponding issue or pull request. If a resolution
can not be made it can be accepted if at least 2/3 of maintainers approve the
change.
---
## Lazy Consensus
OAuth2-Proxy uses [Lazy Consensus](http://en.osswiki.info/concepts/lazy_consensus) for most decisions.
- PRs and proposals should allow **at least eight (8) working days** for comments
- Other maintainers may request additional time when justified and commit to a
timely review
**Exclusions** (lazy consensus does **not** apply):
- Removal of maintainers
- Any substantive governance changes
---
## Updating Governance
Substantive changes to this document require a **simple majority** of Core Maintainers.
---
## Contributor Pathways & Specialties
Advancement pathways, responsibilities, privileges, and specialty areas are
defined in the [Contributor Ladder](CONTRIBUTOR_LADDER.md).
---
## Security
OAuth2-Proxy follows responsible disclosure practices. Security-impacting
issues should be reported via the documented security contact channels
(see `SECURITY.md` if present or repository Security tab). Security fixes may
be handled privately until a coordinated disclosure and release are ready.
---
## CNCF Alignment
OAuth2-Proxy governance aims for open, transparent, and vendor-neutral operation
consistent with CNCF expectations. The [Contributor Ladder](CONTRIBUTOR_LADDER.md)
provides clear pathways for community members to grow into leadership.

5
MAINTAINERS
View File

@ -1,5 +0,0 @@
Joel Speed <joel@oauth2-proxy.dev> (@JoelSpeed)
Nick Meves <nick@oauth2-proxy.dev> (@NickMeves)
Braunson <braunson@oauth2-proxy.dev> (@braunsonm)
Jan Larwig <jan@oauth2-proxy.dev> (@tuunit)
Koen van Zuijlen <koen@oauth2-proxy.dev> (@kvanzuijlen)

33
MAINTAINERS.md Normal file
View File

@ -0,0 +1,33 @@
# Maintainers
The table below lists all current maintainers for the oauth2-proxy as defined
by our [project governance](GOVERNANCE.md).
| Name | GitHub Handle | Domains of reponsibility | Email Alias | Affiliation |
| ---------------- | ------------------------------------------------------ | ------------------------ | -------------------------- | ----------- |
| Joel Speed | [@JoelSpeed](https://github.com/joelspeed) | Governance, Core | joel@oauth2-proxy.dev | Red Hat |
| Jan Larwig | [@tuunit](https://github.com/tuunit) | Governance, Core | jan@oauth2-proxy.dev | IONOS Cloud |
| JJ Łakis | [@jjlakis](https://github.com/jjlakis) | Provider | jj@oauth2-proxy.dev | - |
| Koen van Zuijlen | [@kvanzuijlen](https://github.com/kvanzuijlen) | CI | koen@oauth2-proxy.dev | - |
| Pierluigi Lenoci | [@pierluigilenoci](https://github.com/pierluigilenoci) | Helm | pierluigi@oauth2-proxy.dev | SAP |
## Emeritus Maintainers
We would like to highlight that this project does have prior maintainers and
core contributors that, if they so wished, could (and should) be granted the
status of emeritus maintainers.
| Name | GitHub Handle |
| ------------- | ------------------------------------------------------ |
| Nick Meves | [@NickMeves](https://github.com/NickMeves) |
| Braunson | [@braunsonm](https://github.com/braunsonm) |
| Henry Jenkins | [@steakunderscore](https://github.com/steakunderscore) |
## Security Response Team and GitHub Organization Owners
The following maintainers are members of the security response team and owners
of the GitHub organization.
- Joel Speed
- Jan Larwig

27
README.md
View File

@ -1,9 +1,12 @@
[![Continuous Integration](https://github.com/oauth2-proxy/oauth2-proxy/actions/workflows/ci.yml/badge.svg)](https://github.com/oauth2-proxy/oauth2-proxy/actions/workflows/ci.yml)
[![Go Report Card](https://goreportcard.com/badge/github.com/oauth2-proxy/oauth2-proxy)](https://goreportcard.com/report/github.com/oauth2-proxy/oauth2-proxy)
[![GoDoc](https://godoc.org/github.com/oauth2-proxy/oauth2-proxy?status.svg)](https://godoc.org/github.com/oauth2-proxy/oauth2-proxy)
[![Go Report Card](https://goreportcard.com/badge/github.com/oauth2-proxy/oauth2-proxy/v7)](https://goreportcard.com/report/github.com/oauth2-proxy/oauth2-proxy/v7)
[![GoDoc](https://godoc.org/github.com/oauth2-proxy/oauth2-proxy/v7?status.svg)](https://godoc.org/github.com/oauth2-proxy/oauth2-proxy/v7)
[![MIT licensed](https://img.shields.io/badge/license-MIT-blue.svg)](./LICENSE)
[![Maintainability](https://api.codeclimate.com/v1/badges/a58ff79407212e2beacb/maintainability)](https://codeclimate.com/github/oauth2-proxy/oauth2-proxy/maintainability)
[![Test Coverage](https://api.codeclimate.com/v1/badges/a58ff79407212e2beacb/test_coverage)](https://codeclimate.com/github/oauth2-proxy/oauth2-proxy/test_coverage)
[![Maintainability](https://qlty.sh/gh/oauth2-proxy/projects/oauth2-proxy/maintainability.svg)](https://qlty.sh/gh/oauth2-proxy/projects/oauth2-proxy)
[![Code Coverage](https://qlty.sh/gh/oauth2-proxy/projects/oauth2-proxy/coverage.svg)](https://qlty.sh/gh/oauth2-proxy/projects/oauth2-proxy)
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/oauth2-proxy/oauth2-proxy/badge)](https://scorecard.dev/viewer/?uri=github.com/oauth2-proxy/oauth2-proxy)
[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/11223/badge)](https://www.bestpractices.dev/projects/11223)
![OAuth2 Proxy](docs/static/img/logos/OAuth2_Proxy_horizontal.svg)
@ -35,9 +38,6 @@ These images are considered unstable and therefore should **NOT** be used for pr
## Sponsors
![Microsoft](https://upload.wikimedia.org/wikipedia/commons/9/96/Microsoft_logo_%282012%29.svg)
Microsoft Azure credits for open source projects
Would you like to sponsor the project then please contact us at [sponsors@oauth2-proxy.dev](mailto:sponsors@oauth2-proxy.dev)
## Getting Involved
@ -81,6 +81,19 @@ See [open redirect vulnerability](https://github.com/oauth2-proxy/oauth2-proxy/s
**2020-03-29:** This project was formerly hosted as `pusher/oauth2_proxy` but has been renamed to `oauth2-proxy/oauth2-proxy`. Going forward, all images shall be available at `quay.io/oauth2-proxy/oauth2-proxy` and binaries will be named `oauth2-proxy`.
## Code of Conduct
Participation in the OAuth2-Proxy project is governed by the [CNCF Code of Conduct](CODE_OF_CONDUCT.md).
## License
OAuth2-Proxy is distributed under [The MIT License](LICENSE).
[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Foauth2-proxy%2Foauth2-proxy.svg?type=large&issueType=license)](https://app.fossa.com/projects/git%2Bgithub.com%2Foauth2-proxy%2Foauth2-proxy?ref=badge_large&issueType=license)
## Trademarks
OAuth2-Proxy is a [Cloud Native Computing Foundation](https://cncf.io) Sandbox project.
![CNCF](https://www.cncf.io/wp-content/uploads/2023/04/cncf-main-site-logo.svg)
The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see [Trademark Usage](https://www.linuxfoundation.org/legal/trademark-usage).

9
docs/docs/welcome.md
View File

@ -21,3 +21,12 @@ A list of changes can be seen in the [CHANGELOG](https://github.com/oauth2-proxy
## Architecture
![OAuth2 Proxy Architecture](/img/simplified-architecture.svg)
## Cloud Native Computing Foundation
OAuth2-Proxy is a [Cloud Native Computing Foundation](https://cncf.io) Sandbox project.
![CNCF](https://www.cncf.io/wp-content/uploads/2023/04/cncf-main-site-logo.svg)
The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see [Trademark Usage](https://www.linuxfoundation.org/legal/trademark-usage).

2
docs/docusaurus.config.js
View File

@ -118,7 +118,7 @@ const config = {
},
footer: {
style: 'dark',
copyright: `Copyright © ${new Date().getFullYear()} OAuth2 Proxy.`,
copyright: `Copyright © ${new Date().getFullYear()} OAuth2-Proxy a Series of LF Projects, LLC.<br>For website terms of use, trademark policy and other project policies please see lfprojects.org/policies/`,
},
prism: {
theme: prismThemes.github,

9
docs/versioned_docs/version-7.12.x/welcome.md
View File

@ -21,3 +21,12 @@ A list of changes can be seen in the [CHANGELOG](https://github.com/oauth2-proxy
## Architecture
![OAuth2 Proxy Architecture](/img/simplified-architecture.svg)
## Cloud Native Computing Foundation
OAuth2-Proxy is a [Cloud Native Computing Foundation](https://cncf.io) Sandbox project.
![CNCF](https://www.cncf.io/wp-content/uploads/2023/04/cncf-main-site-logo.svg)
The Linux Foundation® (TLF) has registered trademarks and uses trademarks. For a list of TLF trademarks, see [Trademark Usage](https://www.linuxfoundation.org/legal/trademark-usage).