Add a detailed allowed_groups example to Important Notes
This commit is contained in:
Nick Meves
parent
65e15f24c1
commit
753f6c548a
|
|
@ -7,8 +7,13 @@
|
||||||
- [#936](https://github.com/oauth2-proxy/oauth2-proxy/pull/936) `--user-id-claim` option is deprecated and replaced by `--oidc-email-claim`
|
- [#936](https://github.com/oauth2-proxy/oauth2-proxy/pull/936) `--user-id-claim` option is deprecated and replaced by `--oidc-email-claim`
|
||||||
- [#630](https://github.com/oauth2-proxy/oauth2-proxy/pull/630) Gitlab projects needs a Gitlab application with the extra `read_api` enabled
|
- [#630](https://github.com/oauth2-proxy/oauth2-proxy/pull/630) Gitlab projects needs a Gitlab application with the extra `read_api` enabled
|
||||||
- [#849](https://github.com/oauth2-proxy/oauth2-proxy/pull/849) `/oauth2/auth` `allowed_groups` querystring parameter can be paired with the `allowed-groups` configuration option.
|
- [#849](https://github.com/oauth2-proxy/oauth2-proxy/pull/849) `/oauth2/auth` `allowed_groups` querystring parameter can be paired with the `allowed-groups` configuration option.
|
||||||
- In this scenario, the user's group must be in both lists to not get a 401 or 403 response code.
|
|
||||||
- The `allowed_groups` querystring parameter can specify multiple comma delimited groups.
|
- The `allowed_groups` querystring parameter can specify multiple comma delimited groups.
|
||||||
|
- In this scenario, the user must have a group (from their multiple groups) present in both lists to not get a 401 or 403 response code.
|
||||||
|
- Example:
|
||||||
|
- OAuth2-Proxy globally sets the `allowed_groups` as `engineering`.
|
||||||
|
- An application using Kubernetes ingress uses the `/oauth2/auth` endpoint with `allowed_groups` querystring set to `backend`.
|
||||||
|
- A user must have a session with the groups `["engineering", "backend"]` to pass authorization.
|
||||||
|
- Another user with the groups `["engineering", "frontend"]` would fail the querystring authorization portion.
|
||||||
- [#905](https://github.com/oauth2-proxy/oauth2-proxy/pull/905) Existing sessions from v6.0.0 or earlier are no longer valid. They will trigger a reauthentication.
|
- [#905](https://github.com/oauth2-proxy/oauth2-proxy/pull/905) Existing sessions from v6.0.0 or earlier are no longer valid. They will trigger a reauthentication.
|
||||||
- [#826](https://github.com/oauth2-proxy/oauth2-proxy/pull/826) `skip-auth-strip-headers` now applies to all requests, not just those where authentication would be skipped.
|
- [#826](https://github.com/oauth2-proxy/oauth2-proxy/pull/826) `skip-auth-strip-headers` now applies to all requests, not just those where authentication would be skipped.
|
||||||
- [#797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) The behavior of the Google provider Groups restriction changes with this
|
- [#797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) The behavior of the Google provider Groups restriction changes with this
|
||||||
|
|
|
||||||
|
|
@ -1026,6 +1026,11 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R
|
||||||
|
|
||||||
// authOnlyAuthorize handles special authorization logic that is only done
|
// authOnlyAuthorize handles special authorization logic that is only done
|
||||||
// on the AuthOnly endpoint for use with Nginx subrequest architectures.
|
// on the AuthOnly endpoint for use with Nginx subrequest architectures.
|
||||||
|
//
|
||||||
|
// TODO (@NickMeves): This method is a placeholder to be extended but currently
|
||||||
|
// fails the linter. Remove the nolint when functionality expands.
|
||||||
|
//
|
||||||
|
//nolint:S1008
|
||||||
func authOnlyAuthorize(req *http.Request, s *sessionsapi.SessionState) bool {
|
func authOnlyAuthorize(req *http.Request, s *sessionsapi.SessionState) bool {
|
||||||
// Allow secondary group restrictions based on the `allowed_groups`
|
// Allow secondary group restrictions based on the `allowed_groups`
|
||||||
// querystring parameter
|
// querystring parameter
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue