public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,676 Commits 29 Branches 41 Tags 50 MiB
Commit Graph

293 Commits

Author SHA1 Message Date
Jehiah Czebotar c5fc7baa86 gofmt 2017-03-29 09:36:38 -04:00
Colin Arnott 55085d9697 csrf protection; always set state 2017-03-29 09:31:10 -04:00
Jehiah Czebotar 6c690b699b Merge pull request #339 from omazhary/issue-205 
Allow to pass user headers only
 2017-03-28 21:42:29 -04:00
Jehiah Czebotar 107b4811b4 Merge pull request #346 from bdwyertech/patch-1 
Oversize Cookie Alert
 2017-03-28 21:40:11 -04:00
Colin Arnott 289a6ccf46 add check for //.* to prevent open redirect during oauth 2017-03-28 21:12:33 -04:00
Guillaume Bienkowski 562cc2e466 [signout] Implement logout endpoint 2017-03-21 17:40:47 +01:00
Brian Dwyer 3379e05fec Oversize Cookie Alert 
Cookies cannot be larger than 4kb
 2017-02-23 18:48:34 -05:00
Omar Elazhary 24f91a0b60 Allow to pass user headers only (issue #205) 
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
 2017-01-24 11:11:58 +01:00
Jehiah Czebotar cdebfd6436
base64 cookie support 2016-06-20 07:45:43 -04:00
Jehiah Czebotar 57f82ed71e
Custom footer text (optional) 
Closes #256 and #166
 2016-06-18 23:54:32 -04:00
Jehiah Czebotar 168cff9d4b Merge pull request #161 from rahdjoudj/master 
adding option to skip provider button sign_in page
 2016-06-18 23:31:39 -04:00
Pranay Kanwar f957a1e435 Validate state param while redirecting 2016-01-19 13:14:16 +05:30
Mike Bland e4626c1360 Sign Upstream requests with HMAC. closes #147 2015-11-15 22:09:30 -05:00
Reda Ahdjoudj 35547a40cb adding option to skip provider button sign_in page 2015-11-11 11:42:35 +11:00
Mike Bland 462f6d03d2 Extract Authenticate for Proxy, AuthenticateOnly 2015-11-09 10:32:16 -05:00
Mike Bland e61fc9e7a6 Add /auth endpoint to support Nginx's auth_request 
Closes #152.
 2015-11-09 10:31:41 -05:00
Brandon Philips 6db18804f3 *: rename Oauth to OAuth 
Be consistent with Go capitalization styling and use a single way of
spelling this across the tree.
 2015-11-09 00:57:01 +01:00
Brandon Philips 1ff2fce25b oauthproxy: rename Uri to URI 
Be consistent with Go coding style for acroynyms.
 2015-11-09 00:50:42 +01:00
Brandon Philips 51a2e4e48c *: rename Url to URL everywhere 
Go coding style says that acronyms should be all lower or all upper. Fix
Url to URL.
 2015-11-09 00:47:44 +01:00
John Boxall a653c3eeeb Pass `ProxyPrefix` into the error template. 
The default `error.html` uses `ProxyPrefix` but it isn't supplied in the context, causing it to error.
 2015-10-03 15:59:47 -07:00
Jeppe Toustrup ffeccfe552 Add support for serving static files from a directory 
The path should be provided as a file:// url with the full operating system path.
An alias to where the directory is available as can be specified by appending
a fragment (ie. "#/static/") at the end of the URL.
 2015-09-24 15:37:45 +02:00
Justin Burnham 3fd8f911c2 google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
Justin Burnham 7dd5d299e1 Add support for setting the basic auth password. 
For tools that don't like empty passwords, this change allows
one to set a shared secret password for all users.
 2015-07-24 09:17:43 +00:00
mattk42 6cd3e72e09 Check email validity on all requests rather than only on login/refresh 2015-07-14 08:40:59 -06:00
Jehiah Czebotar d49c3e167f SessionState refactoring; improve token renewal and cookie refresh 
* New SessionState to consolidate email, access token and refresh token
* split ServeHttp into individual methods
* log on session renewal
* log on access token refresh
* refactor cookie encription/decription and session state serialization
 2015-07-02 23:09:11 -04:00
Jehiah Czebotar 8d50b372e4 immediately redeem refresh token for provider==Google 2015-06-23 13:56:14 -04:00
Jehiah Czebotar e9b5631eed cookie refresh: validation fixes, interval changes 
* refresh now calculated as duration from cookie set
 2015-06-23 07:51:00 -04:00
Jehiah Czebotar d78aa13464 v2.0 & cleanup changes 
* bump version to 2.0
* remove --cookie-https-only option
* add windows build to dist.sh
* rename --cookie-key to --cookie-name
 2015-06-12 13:07:26 -04:00
Jehiah Czebotar f5b2b20f67 support TLS directly 2015-06-07 23:14:48 -04:00
Jehiah Czebotar f5db2e1ff7 More complete HTTP error logging 2015-06-07 21:03:53 -04:00
Jehiah Czebotar 56d19b1c84 disable email validation; rename email-domain argument 
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
 2015-06-06 14:37:54 -04:00
tonymeng c5ccd43767 Enable specific oauth2proxy path; change cookie name to _oauth2proxy 2015-06-06 14:21:42 -04:00
Jehiah Czebotar b96a078839 Project Rename -> oauth2_proxy 2015-05-21 02:55:04 -04:00
Jehiah Czebotar 37b38dd2f4 Github provider 2015-05-21 02:21:19 -04:00
Mike Bland 8471f972e1 Move ValidateToken() to Provider 2015-05-21 02:06:23 -04:00
Jehiah Czebotar 9047920e90 Merge pull request #88 from 18F/auto-refresh 
Auto refresh auth token
 2015-05-11 22:24:50 -04:00
Mike Bland 5b07d9fcef Provide a robots.txt that denies all crawlers 2015-05-10 15:15:52 -04:00
Mike Bland 37f287bef4 Calculate cookie expiration from encoded timestamp 
Found out the hard way that _incoming_ cookies do _not_ have their expiration
timestamps encoded. To perform auto-refresh based on expiration time, we have
to recalculate it from the time encoded in the cookie value.
 2015-05-10 00:11:26 -04:00
Mike Bland 8ec967ac32 Check cookie_secret size when cookie_refresh set 2015-05-09 17:37:33 -04:00
Mike Bland 84190ab19a Validate user during cookie refresh 2015-05-09 16:54:27 -04:00
Mike Bland 610341a068 Make ProcessCookie() fail when cookie parse fails 2015-05-09 16:54:27 -04:00
Mike Bland bd4eae8fec Store access token when cookie-refresh is set 
cookie-refresh now no longer requires pass-access-token in order to work.
 2015-05-09 16:54:27 -04:00
Mike Bland b6e07d51b2 Validate access_token when auto-refreshing cookie 2015-05-09 15:09:31 -04:00
Mike Bland 25372567ac ValidateToken() to check access_token validity 2015-05-09 13:17:37 -04:00
Mike Bland 72857018ee Introduce `validate-url` flag/config 2015-05-08 17:13:35 -04:00
Mike Bland 8e2d83600c Implement cookie auto-refresh 
The intention is to refresh the cookie whenever the user accesses an
authenticated service with less than `cookie-refresh` time to go before the
cookie expires.
 2015-05-08 14:05:09 -04:00
Mike Bland f554f99abd Ensure all errors are logged in ProcessCookie() 2015-05-08 14:05:09 -04:00
Mike Bland beed9fb9a2 Extract MakeCookie() 2015-05-08 14:05:09 -04:00
Mike Bland 1bd90cefe7 Extract ProcessCookie() from ServeHTTP() 2015-05-08 12:41:22 -04:00
Mike Bland 9887ac3be5 Refactor cookie building and parsing 
Extracts buildCookieValue() and parseCookieValue() from OauthProxy.ServeHTTP()
and adds tests for both.
 2015-04-07 05:53:41 -04:00
Mike Bland cf79fd9e4c Refactor pass_access_token+cookie_secret check 
Moves the check from NewOauthProxy() to Options.Validate() and adds a test.
 2015-04-07 05:53:40 -04:00
Mike Bland 5f747bb768 Redirect to / when /oauth2/sign_in accessed 
Without this change, clicking the sign-in button on /oauth2/sign_in will
always redirect back to /oauth2/sign_in, essentially creating an infinite
loop.
 2015-04-06 22:10:03 -04:00
Mike Bland ad3c9a886f Pass the access token to the upstream client 
This is accomplished by encoding the access_token in the auth cookie and
unpacking it as the X-Forwarded-Access-Token header for upstream requests.
 2015-04-03 15:32:01 -04:00
Mike Bland 666e6ad436 Add ProviderName field; use in sign_in template 2015-03-31 12:59:07 -04:00
Mike Bland d9a945ebc3 Integrate Provider into Options and OauthProxy 2015-03-31 09:34:50 -04:00
Mike Bland 45286af4a4 s/18F/bitly/ in import path 2015-03-30 11:42:37 -04:00
Mike Bland 9d8f932797 Extract api package 
This is the first step towards genericizing the google_auth_proxy to support
OAuth2 providers other than Google as discussed in #65. The `api` package will
enable multiple providers to use the same `api.Request()` implementation.
 2015-03-30 10:23:30 -04:00
Jehiah Czebotar 16f2c981f3 fix upstream request path 2015-03-21 15:29:07 -04:00
Jehiah Czebotar b9b5e817fc improve request logging (closer to Apache Common Log) 2015-03-19 22:34:01 -04:00
Jehiah Czebotar 07c74f55c6 improve handling of cookie domains 2015-03-19 16:18:02 -04:00
Jehiah Czebotar de04e0c519 rename cookie secure flag 2015-03-19 14:08:17 -04:00
Jehiah Czebotar ebae065b11 make redirect_uri optional 2015-03-19 14:03:05 -04:00
Jehiah Czebotar 71ae70834d pass raw unencoded request URI upstream 2015-03-19 13:18:49 -04:00
Jehiah Czebotar 2b2324e410 support (optional) custom templates 2015-03-17 18:11:58 -04:00
Jehiah Czebotar 263e16eeea add --proxy-host-header option 2015-03-17 15:53:01 -04:00
John Boxall 24ef555547 Requests are proxied to the Host specified by the target. 2015-03-17 15:04:27 -04:00
John Boxall 20a152261c Adds failing test for using upstream Host header. 2015-03-17 15:04:27 -04:00
Jehiah Czebotar 601ae6f4ec Merge pull request #60 from tomtaylor/gofmt-fixes 
Run gofmt over source
 2015-01-19 12:48:57 -05:00
Tom Taylor 5201f26ffc Run gofmt over source. 2015-01-19 16:10:37 +00:00
Tom Taylor 132e3d91d6 Add flag to enable/disable cookie's HttpOnly flag. 2015-01-19 16:00:49 +00:00
vishnu chilamakuru c4d25d271f Adding Support for multi white listed urls with regex url match. 2015-01-12 14:48:41 +05:30
drew 69804e588a Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 14:38:57 -06:00
Jehiah Czebotar 1f515eba3c options bug fixes; set https cookies on by default 2014-11-09 22:21:46 -05:00
Jehiah Czebotar a49eadadeb template updates to display version 2014-11-09 22:01:50 -05:00
Jehiah Czebotar 9060feb436 better environment parsing 2014-11-09 21:12:36 -05:00
Jehiah Czebotar d4fe9a4f57 Add config file support 2014-11-09 20:33:12 -05:00
Jehiah Czebotar bc26835076 always set httponly (there is no good reason not to); simplify httponly and expire flags 2014-11-08 14:32:35 -05:00
Igor Dolgiy 6cdf05e7f2 Added cookie settings 2014-11-08 13:35:45 -05:00
Jehiah Czebotar 23a89b06de Merge pull request #22 from dbrgn/empty_upstream_path 
Handle upstreams without a trailing slash
 2014-11-08 19:17:44 +01:00
Roger Hu ec9c11ed28 Pass in the original email address too as X-Forwarded-Email. 2014-11-08 07:33:14 -08:00
Jason Swank 1e29aa1c12 Make /ping endpoint respond with "OK" 2014-10-14 17:05:59 -04:00
Jason Swank 8702ad2e52 Add /ping endpoint 2014-10-14 16:22:38 -04:00
Jehiah Czebotar 98fb800de4 update to new scopes 2014-08-07 20:49:28 +00:00
Danilo Bargen b3bbc3ca20 Handle upstreams without a trailing slash 2014-07-08 15:06:41 +02:00
Danilo Bargen cfe186d6cb Fixed wrong error message 2014-07-08 14:07:07 +02:00
Sean O'Connor 11ce460209 Updated redirect arg handling to only happen when needed. 2013-10-24 17:40:29 +00:00
Sean O'Connor d2b1815d43 After authentication, redirect to original URI. 2013-10-23 20:29:39 +00:00
Jehiah Czebotar c97de52200 handle sign in directly (if using htpasswd) 2012-12-26 18:26:03 +00:00
Jehiah Czebotar 4367e47a46 don't promote htpasswd auth; auth directly 2012-12-26 16:55:20 +00:00
Jehiah Czebotar c459806ab0 promote basic auth to cookie 2012-12-26 10:35:02 -05:00
Jehiah Czebotar 42f539109e testing 2012-12-17 13:38:33 -05:00
Jehiah Czebotar 42359333b2 cleanup error handling 2012-12-17 13:15:23 -05:00
Jehiah Czebotar fb636396a3 initial code import 2012-12-10 20:59:23 -05:00