* update to release version v7.15.2
* doc: add changelog entry for v7.15.2
Signed-off-by: Jan Larwig <jan@larwig.com>
* fix(deps): override webpackbar to v7 for webpack 5.106.0 compatibility
As outlined in https://github.com/facebook/docusaurus/issues/11923
Signed-off-by: Jan Larwig <jan@larwig.com>
* chore: fix local test files for nginx setup
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: clear session cookie at beginning of signinpage handler
Co-authored-by: Christopher Schrewing <christopher.schrewing@weidmueller.com>
Signed-off-by: Michael Bella <michael.bella@weidmueller.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
* test: clear session cookie at beginning of signinpage handler
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: changelog entry for GHSA-f24x-5g9q-753f
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Michael Bella <michael.bella@weidmueller.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Christopher Schrewing <christopher.schrewing@weidmueller.com>
* fix: invalidate session on fatal OAuth2 refresh errors
When a token refresh fails with a fatal OAuth2 error (invalid_grant,
invalid_client), the session is now cleared from the session store
and the cookie is removed, forcing re-authentication.
Previously, fatal refresh errors were logged but the stale session
continued to be served, leaving users logged in indefinitely after
their session was revoked at the provider level.
Transient errors (network timeouts, server errors) continue to
preserve the existing session as before.
Fixes#1945
Signed-off-by: Francesco Pasqualini <frapas@gmail.com>
* fix: apply review nits and add CHANGELOG entry
Signed-off-by: Francesco Pasqualini <frapas@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Francesco Pasqualini <frapas@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
* update to release version v7.15.1
* doc: release notes for v7.15.1
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Propagate errors during route building
This fixes cases such as invalid paths being silently discarded after
creation by throwing a visible error in such cases.
Due to the way gorilla/mux's fluent API is designed, it is necessary to
manually call `.GetError()` to check for errors while building routes.
Signed-off-by: Simon Engmann <simon.engmann@sovity.de>
* Add test for route building error propagation
Signed-off-by: Simon Engmann <simon.engmann@sovity.de>
* Add route building error propagation to changelog
Signed-off-by: Simon Engmann <simon.engmann@sovity.de>
---------
Signed-off-by: Simon Engmann <simon.engmann@sovity.de>
Co-authored-by: Simon Engmann <simon.engmann@sovity.de>
* Improve logging for session refresh token status
Signed-off-by: Yosri Barhoumi <med.yosri.brh@gmail.com>
* doc: add changelog entry for #3327
Signed-off-by: Jan Larwig <jan@larwig.com>
* test: fix existing test cases for new behaviour
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Yosri Barhoumi <med.yosri.brh@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: handle Unix socket RemoteAddr in IP resolution
When oauth2-proxy listens on a Unix socket, Go sets RemoteAddr to "@"
instead of the usual "host:port" format. This caused net.SplitHostPort
to fail on every request, flooding logs with errors:
Error obtaining real IP for trusted IP list: unable to get ip and
port from http.RemoteAddr (@)
Fix by handling the "@" RemoteAddr at the source in getRemoteIP,
returning nil without error since Unix sockets have no meaningful
client IP. Also simplify the isTrustedIP guard and add a nil check
in GetClientString to prevent calling String() on nil net.IP.
Fixes#3373
Signed-off-by: h1net <ben@freshdevs.com>
* docs: add changelog entry and Unix socket trusted IPs documentation
Add changelog entry for #3374. Document that trusted IPs cannot match
against RemoteAddr for Unix socket listeners since Go sets it to "@",
and that IP-based trust still works via X-Forwarded-For with reverse-proxy.
Signed-off-by: Ben Newbery <ben.newbery@gmail.com>
Signed-off-by: h1net <ben@freshdevs.com>
* doc: fix changelog entry for #3374
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: add trusted ip a section to versioned docs as well
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: h1net <ben@freshdevs.com>
Signed-off-by: Ben Newbery <ben.newbery@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* add new docs version 7.15.x
* update to release version v7.15.0
* doc: changelog for v7.15.0 and extended docs for additional claims
* ci: fix trivy failure for release PR
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
fix: linter issues and set default unix socket permissions to 0660
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Tristan <tristan@mangadex.org>
* the attribute version is obsolete, it will be ignored, please remove it to avoid potential confusion
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* Add cookie-csrf-samesite option
Most of the code is copied form pull request #1947
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* Update CHANGELOG.md
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* Removed release information (review comment)
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* All cookie variables in a struct
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* doc: add changelog entry for #3347
Signed-off-by: Jan Larwig <jan@larwig.com>
* revert: unnecessary removal of docker compose version
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: sort csrf flags
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: add --config-test flag for validating configuration without starting the proxy
Signed-off-by: MayorFaj <mayorfaj@gmail.com>
* doc: fix alpha config and add changelog entry for #3338
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: MayorFaj <mayorfaj@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: filter empty strings from allowed groups
When parsing allowed groups from configuration (e.g., via environment
variable OAUTH2_PROXY_ALLOWED_GROUPS), viper may include empty
strings in the parsed slice when trailing commas are present
(e.g., "group2," becomes ["group2", ""]).
The setAllowedGroups function now filters out empty strings before
adding them to the AllowedGroups map, ensuring that only valid group
names are checked during authorization.
Fixes#3123
Signed-off-by: Br1an67 <932039080@qq.com>
* refactor: minor change
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: add changelog entry for 3365
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Br1an67 <932039080@qq.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: add support for specifying allowed OIDC JWT signing algorithms (#2753)
TODO:
- [X] update docs
- [X] add support in yaml (modern) config
- [X] add more test(s)?
Add (legacy for now) configuration flag "oidc-enabled-signing-alg" (cfg:
oidc_enabled_signing_algs) that allows setting what signing algorithms
are specified by provider in JWT header ("alg" header claim).
In particular useful when skip_oidc_discovery = true, as verifier
defaults to only accept "RS256" in alg field in such circumstances.
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: update changelog and alpha config
Signed-off-by: Jan Larwig <jan@larwig.com>
* feat: add signing algorithm intersection handling with oidc discovery and additional tests
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: possibility to inject id_token in redirect url during sign out
Signed-off-by: Alban Fonrouge <alban.fonrouge@visma.com>
* doc: changelog for #3278
Signed-off-by: Jan Larwig <jan@larwig.com>
* test: fix assertion for TestIdTokenPlaceholderInSignOut
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Alban Fonrouge <alban.fonrouge@visma.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: support additional claims
Signed-off-by: afsu <suaf2020@163.com>
Signed-off-by: af su <saf@zjuici.com>
* docs: clarify that AdditionalClaims may come from id_token or userinfo endpoint
Signed-off-by: afsu <suaf2020@163.com>
Signed-off-by: af su <saf@zjuici.com>
* feat: include AdditionalClaims in /oauth2/userinfo response (#834)
Signed-off-by: afsu <suaf2020@163.com>
Signed-off-by: af su <saf@zjuici.com>
* refactor: extract coerceClaim logic into util
Signed-off-by: afsu <suaf2020@163.com>
Signed-off-by: af su <saf@zjuici.com>
* doc: add changelog entry for #2685
Signed-off-by: Jan Larwig <jan@larwig.com>
* refactor: added more verbose comments to some struct fields and minor code cleanup
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: afsu <suaf2020@163.com>
Signed-off-by: af su <saf@zjuici.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: af su <saf@zjuici.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
Add statusRewrites (401 -> 302) to the ForwardAuth with Errors
middleware configuration and a troubleshooting note explaining that
without it, browsers may show a "Found." link instead of
auto-redirecting to the identity provider.
Fixes#3359
Signed-off-by: Nick Nikolakakis <nonicked@protonmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Ensure Windows binary has .exe extension
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: add changelog for #3332
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
The devcontainer was using Go 1.23 but go.mod requires Go 1.25.0.
This caused 'go mod tidy' to fail in the devcontainer environment.
Signed-off-by: Jan Larwig <jan@larwig.com>
* update to release version v7.14.2
* doc: changelog entry for v7.14.2
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: fix nginx example docker-compose
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
renovate[bot]
Jan Larwig
github-actions[bot]
Francesco Pasqualini
Justus
Yosri Barhoumi
artificiosus
H1net
Joost
Mayowa Fajobi
Ganesh Jagadeesan
Br1an
andoks
Alban Fonrouge
af su
Nick Nikolakakis
Mridul
Francois Botha
Vivek S Sejpal
Joel Speed
Richard Hagen