public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,595 Commits 29 Branches 41 Tags 50 MiB
Commit Graph

165 Commits

Author SHA1 Message Date
Zadkiel 7404195c6e
Add oidc-issuer-url arg to README 2019-02-13 16:34:46 +01:00
Joel Speed 09c6bd77ed
Add note on changed flush-interval behaviour 2019-02-08 14:16:41 +00:00
Joel Speed 5b95ed3552
Update release notes for v3.1.0 2019-02-08 11:57:17 +00:00
Martin Loetzsch 2ca5de9d44 update Readme for Azure Active Directory 2019-02-06 23:07:53 +01:00
Joel Speed fb13ee87c8
Merge pull request #34 from marratj/cookie-separator 
Change cookie index separator to underscore
 2019-02-03 13:21:51 +00:00
Marcel D. Juhnke 72d4c49be0 remove duplicate lines 2019-02-02 15:00:10 +01:00
Joel Speed cd37a14fc0
Added more context as suggested by JoelSpeed. 
Co-Authored-By: marratj <marrat@marrat.de>
 2019-02-02 12:47:21 +01:00
Marcel Juhnke c574346086 add nginx cookie part extraction to README 2019-02-01 18:10:44 +01:00
Joel Speed 81f77a55de
Add note on subdomain behaviour 2019-01-30 17:30:48 +00:00
Joel Speed 0925b88d17
Update documentation and changelog 2019-01-22 11:36:52 +00:00
Joel Speed d472cf1645
Release v3.0.0 2019-01-14 10:07:22 +00:00
Joel Speed f80ce246f3
Fix repo link 2019-01-07 16:43:27 +00:00
Joel Speed 39d11b486f
Fix Quay link 2018-12-20 14:30:37 +00:00
Joel Speed 52f27f76dd
Add docker image note to README 2018-12-20 14:28:13 +00:00
Joel Speed 3253bef854
Add CONTRIBUTING guide 2018-12-20 14:14:04 +00:00
Joel Speed d41089d315
Update README to reflect new repo ownership 2018-11-27 12:08:21 +00:00
Joel Speed bfdccf681a
Add Fork notice 2018-11-27 11:23:37 +00:00
Jérôme Lecorvaisier 2db0443e04
typo(README): Terminiation » Termination 2018-03-01 12:10:02 -05:00
Pierce Lopez 20e87edde8 README: fix nginx auth_request example for requests with body 
Nginx never sends the body with the auth_request sub-request, but
keeps the original Content-Length header by default. Without some
config tweaks, this results in the request to /oauth2/auth hanging.
 2017-12-18 20:55:37 -05:00
Tanvir Alam faff555c55
Merge pull request #423 from Jimdo/configure_accesslog_format 
Make Request Logging Format Configurable
 2017-12-04 12:56:54 -05:00
Paul Seiffert 69550cbb23 Document request-logging-format option 2017-12-04 12:52:47 -05:00
Tanvir Alam dc65ff800f distribution: create sha256sum.txt file when creating binaries to allow validation of checksums. 
* update README.md to include instructions on how to verify prebuilt binaries for new releases.
 2017-11-21 15:00:30 -05:00
Tanvir Alam f2a995b8d9 providers: update gitlab api endpoint to use latest version, v4 2017-11-06 12:05:58 -05:00
Jehiah Czebotar bfda078caa Merge pull request #376 from reedloden/make-cookie-domain-optional 
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
 2017-10-23 14:14:45 -04:00
Jehiah Czebotar fd3925d204 Merge pull request #444 from Starefossen/patch-1 
Clarify that GitHub team option in README
 2017-10-23 11:52:21 -04:00
Joshua Carp d118cb7bbb Drop deprecated MyUSA provider. 
[Resolves #390]
 2017-10-08 01:01:15 -04:00
Jehiah Czebotar e87c3eee13 Merge pull request #389 from ericchiang/oidc-provider 
*: add an OpenID Connect provider
 2017-09-09 20:44:59 -04:00
Eric Chiang cb48577ede *: add an OpenID Connect provider 
See the README for usage with Dex or any other OIDC provider.

To test run a backend:

    python3 -m http.server

Run dex and modify the example config with the proxy callback:

    go get github.com/coreos/dex/cmd/dex
    cd $GOPATH/src/github.com/coreos/dex
    sed -i.bak \
      's|http://127.0.0.1:5555/callback|http://127.0.0.1:5555/oauth2/callback|g' \
       examples/config-dev.yaml
    make
    ./bin/dex serve examples/config-dev.yaml

Then run the oauth2_proxy

    oauth2_proxy \
      --oidc-issuer-url http://127.0.0.1:5556/dex \
      --upstream http://localhost:8000 \
      --client-id example-app \
      --client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \
      --cookie-secret foo \
      --email-domain '*' \
      --http-address http://127.0.0.1:5555 \
      --redirect-url http://127.0.0.1:5555/oauth2/callback \
      --cookie-secure=false

Login with the username/password "admin@example.com:password"
 2017-09-08 09:32:51 -07:00
Hans Kristian Flaatten 94574df274 Clarify that GitHub team slug name should be used for the `-github-team` option 2017-09-05 22:58:53 +02:00
Jehiah Czebotar 678290035c Merge pull request #410 from sobolevn/patch-1 
Updates README.md with svg badge
 2017-08-28 20:50:07 -04:00
Christian Svensson f4321c4b45 Update cookie generation to match base64 encoding 
Current code is using URLEncoding but example was using the
standard RFC 4648 encoding. Switch to using the URL
encoding in the example as well.
 2017-07-20 13:28:41 +02:00
Nikita Sobolev e6e60c4b60 Updates README.md with svg badge 2017-06-29 09:36:31 +03:00
Bart Spaans 7fea71a4ce Update Google Auth Provider instructions 2017-06-21 11:03:24 +01:00
Shivansh Dhar c8c6b66465 Fix spelling mistake in docs 2017-06-09 12:17:24 -04:00
Pierce Lopez 6d295f8446 README: nginx auth_request example refresh cookie handling 
how to pass back the refreshed oauth2_proxy cookie from an nginx auth_request
 2017-04-24 17:59:21 -04:00
Pierce Lopez 7f5672b433 README: simplify nginx auth_request example 
/oauth2/auth is not more sensitive than other /oauth2/ paths,
does not need "internal" protection

"spdy" protocol is obsolete, http2 is the thing to enable now.
But it's orthogonal anyway.

No need for two separate content/upstream location blocks in
this example, reduce to just one, with a comment that it could
be serving files instead of proxying.
 2017-04-24 17:56:15 -04:00
Reed Loden b6bd878f27 Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes 
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies
if the `__Host-` prefix is used
(https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2).

There's no need to set it to the host by default, so make it optional. If it is
set to a non-empty value, still output a warning if it is not a suffix of the
host, as that's likely not wanted.

Fixes #352.
 2017-04-24 13:03:40 -07:00
Jehiah Czebotar f457a9042a Readme: update --help usage 2017-04-24 12:16:16 -04:00
Jehiah Czebotar 3fa5635d6c
Release 2.2.0 2017-04-24 12:11:23 -04:00
idntfy 1e7d2a08a3 #369: Optionally allow skipping authentication for preflight requests 2017-04-07 15:01:47 +03:00
Ashish Kulkarni fe44b89f57 update documentation for Nginx auth_request mode 2017-03-29 21:28:55 +05:30
Jehiah Czebotar dcf62d06df option for skipping OAuth provider SSL verification 2017-03-29 10:57:07 -04:00
Omar Elazhary 24f91a0b60 Allow to pass user headers only (issue #205) 
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
 2017-01-24 11:11:58 +01:00
ReadmeCritic 4203c26d7c Correct the spelling of GitHub in README 2016-11-18 09:31:22 -08:00
Mark Herhold 116b84906e Adding skip-provider-button docs 2016-07-30 22:34:28 -04:00
Nick Semenkovich 17f412e407 docs: working nginx auth_request example (#273) 2016-07-05 09:38:34 -04:00
Nick Semenkovich 56bf3f8add Fix documentation for auth_request directive 
The correct endpoint is /oauth2/auth
 2016-06-27 20:10:22 -05:00
Jehiah Czebotar 671f00e60e
cookie secret: give helper command for generating a secret 2016-06-23 09:42:32 -04:00
Jehiah Czebotar 3bba24ab31
Bump verison to 2.1 2016-06-23 09:35:33 -04:00
Jehiah Czebotar a0763477c5
Facebook Authentication Provider 
* will not re-prompt if the email permission is denied, or if you previously authorized the same FB app without the email scope.
 2016-06-23 08:43:21 -04:00
Jehiah Czebotar bcb8064831
github: fix github enterprise support 2016-06-20 08:15:07 -04:00
Joakim Gustin 60a59ce7b1 Fix typo 2016-04-12 07:26:13 +02:00
Mike Bland 87d80d6d22 OAUTH2_PROXY_SIGNATURE_KEY env var, README update 2016-02-24 08:23:31 -05:00
Jehiah Czebotar 293d674e14 Merge pull request #214 from raphink/github_multiple_teams 
github provider: allow multiple teams
 2016-02-17 17:24:50 -05:00
Raphaël Pinson 338e99773a github provider: allow multiple teams 2016-02-17 23:17:08 +01:00
Jehiah Czebotar bfb8dc13bf Merge pull request #211 from pmosbach/gitlab-provider 
Add GitLab provider
 2016-02-17 09:04:07 -05:00
pmosbach 034612bf8b Add GitLab provider 2016-02-17 06:19:52 -06:00
Robert Hencke 51dbc9fb9b Fix small typo in README.md. 2016-02-16 17:07:26 -05:00
Alex c0a18a5cb3 fixed formatting 2016-02-13 01:41:10 -06:00
Jehiah Czebotar 36128e971f Merge pull request #197 from ruta-goomba/enterprise-github 
use Github provider with GitHub enterprise
 2016-02-06 13:24:48 -06:00
Ruta Sakalauskaite 79b548dae6 modifying README to add information about use with enterprise github 2016-01-21 21:54:29 +00:00
Eelco Cramer 10f47e325b Add Azure Provider 2016-01-20 03:57:17 -05:00
funkymrrogers 0fad1da1df Google UI changes 
Google changed to developer console UI, updated walkthrough to match new UI.
 2015-12-16 19:10:38 -06:00
Mike Bland e4626c1360 Sign Upstream requests with HMAC. closes #147 2015-11-15 22:09:30 -05:00
Mike Bland d247274b06 Add nginx auth_request config to README 2015-11-09 11:00:18 -05:00
Mike Bland e61fc9e7a6 Add /auth endpoint to support Nginx's auth_request 
Closes #152.
 2015-11-09 10:31:41 -05:00
Jeppe Toustrup ffeccfe552 Add support for serving static files from a directory 
The path should be provided as a file:// url with the full operating system path.
An alias to where the directory is available as can be specified by appending
a fragment (ie. "#/static/") at the end of the URL.
 2015-09-24 15:37:45 +02:00
Justin Burnham 3fd8f911c2 google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
Jehiah Czebotar d1c0208824 Merge pull request #131 from ebardsley/master 
Allow passing the value of "approval_prompt" as a flag or option.
 2015-08-27 07:33:07 -04:00
Srivatsa Ray 85fcd66be6 Google auth configuration screen flow has changed 2015-08-09 12:08:21 -07:00
Ed Bardsley 33045a792b Add a flag to set the value of "approval_prompt". 
By setting this to "force", certain providers, like Google,
will interject an additional prompt on every new session. With other values,
like "auto", this prompt is not forced upon the user.
 2015-07-31 00:43:47 -07:00
Sharif Nassar f3353c0eea Fix spelling 
*snicker*
*titter*
*giggle*
 2015-07-24 14:31:25 -07:00
Justin Burnham 7dd5d299e1 Add support for setting the basic auth password. 
For tools that don't like empty passwords, this change allows
one to set a shared secret password for all users.
 2015-07-24 09:17:43 +00:00
Jehiah Czebotar 3a792555f1 tag v2.0.1 2015-07-02 23:29:25 -04:00
Jehiah Czebotar 51852c045a Doc updates clarifying external Load Balancer config 2015-07-02 23:21:59 -04:00
Jehiah Czebotar aa0a725a3a Readme: doc updates 2015-06-23 14:01:05 -04:00
Jehiah Czebotar d78aa13464 v2.0 & cleanup changes 
* bump version to 2.0
* remove --cookie-https-only option
* add windows build to dist.sh
* rename --cookie-key to --cookie-name
 2015-06-12 13:07:26 -04:00
Jehiah Czebotar f5b2b20f67 support TLS directly 2015-06-07 23:14:48 -04:00
Jehiah Czebotar f5db2e1ff7 More complete HTTP error logging 2015-06-07 21:03:53 -04:00
Jehiah Czebotar 56d19b1c84 disable email validation; rename email-domain argument 
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
 2015-06-06 14:37:54 -04:00
tonymeng c5ccd43767 Enable specific oauth2proxy path; change cookie name to _oauth2proxy 2015-06-06 14:21:42 -04:00
Jehiah Czebotar a80aad04f7 Readme Updates 2015-05-21 09:54:21 -04:00
Jehiah Czebotar b96a078839 Project Rename -> oauth2_proxy 2015-05-21 02:55:04 -04:00
Jehiah Czebotar 37b38dd2f4 Github provider 2015-05-21 02:21:19 -04:00
Jehiah Czebotar 9047920e90 Merge pull request #88 from 18F/auto-refresh 
Auto refresh auth token
 2015-05-11 22:24:50 -04:00
Mike Bland 2808ba7beb Update cookie-refresh doc string 2015-05-11 09:55:07 -04:00
Mike Bland 5b07d9fcef Provide a robots.txt that denies all crawlers 2015-05-10 15:15:52 -04:00
Mike Bland 082b7c0ec8 Set cookie-refresh flag = 0; update README, config 2015-05-09 17:36:17 -04:00
Darren Lee 5bc77b0ee8 LinkedIn OAuth support. 2015-04-17 17:35:40 -07:00
Mike Bland ad3c9a886f Pass the access token to the upstream client 
This is accomplished by encoding the access_token in the auth cookie and
unpacking it as the X-Forwarded-Access-Token header for upstream requests.
 2015-04-03 15:32:01 -04:00
Mike Bland 291a0b76b9 Add alternate provider information to README 2015-03-31 15:31:22 -04:00
Jehiah Czebotar b9b5e817fc improve request logging (closer to Apache Common Log) 2015-03-19 22:34:01 -04:00
Jehiah Czebotar de04e0c519 rename cookie secure flag 2015-03-19 14:08:17 -04:00
Jehiah Czebotar ebae065b11 make redirect_uri optional 2015-03-19 14:03:05 -04:00
Jehiah Czebotar 2b2324e410 support (optional) custom templates 2015-03-17 18:11:58 -04:00
Jehiah Czebotar 263e16eeea add --proxy-host-header option 2015-03-17 15:53:01 -04:00
David Howden 975c7173c2 Added scheme parsing to http-address param 
Can now listen for HTTP clients on unix sockets (and any other Go-supported stream oriented network - see golang.org/pkg/net/#Listen).  Default behaviour is unchanged, any http-address without a scheme is given the default of tcp.

Amended the README so that the usage output is up to date.
 2015-02-11 14:51:57 +11:00
Rhommel Lamas 942245f93d Fix typo 2014-12-29 11:24:46 +01:00
Jehiah Czebotar ba7aee91d6 update install steps; show login img 2014-11-09 22:06:40 -05:00
Jehiah Czebotar 9060feb436 better environment parsing 2014-11-09 21:12:36 -05:00