* docs: clarify ingress-nginx integration and remove Lua block example for oauth2-proxy
This PR revises the integration guide for oauth2-proxy with ingress-nginx in Kubernetes:
Recommends the minimal configuration: just auth-url and auth-signin annotations.
Removes the Lua block example, as it did not work in practice despite following nginx documentation and extensive testing.
Clearly states that the official ingress-nginx external auth example is the recommended approach for most users.
Notes that advanced Lua/cookie handling is only needed for rare, advanced scenarios.
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: update 3 latest docs versions
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: SourceHut documentation
- Add it to sidebar and provider index
- Fix broken link
This fixes an oversight in #2359, where I had not fully understood how
the documentation works.
Signed-off-by: Conrad Hoffmann <ch@bitfehler.net>
* fix: doc build instructions in docs/README.md
---------
Signed-off-by: Conrad Hoffmann <ch@bitfehler.net>
* bugfix: Gitaa team membership
Gitea doesn't properly fill in all the fields like GitHub,
so implement a series of fallbacks.
Signed-off-by: magic_rb <magic_rb@redalder.org>
* add changelog, documentation and fix groups list
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: magic_rb <magic_rb@redalder.org>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Add sensible logging flag to default setup for logger
* Fix default value flag for sensitive logging
* Remove sensitive logging changes
* Add Cidaas provider
* Update CHANGELOG.md
* Add required groups scope to defaults
* Fix tests
* Remove if block with protected resource
* Fix linting
* Adjust provider sorting, fixes
* Directly handle error return
Co-authored-by: Jan Larwig <jan@larwig.com>
* Use less deep nesting
Co-authored-by: Jan Larwig <jan@larwig.com>
* Directly handle returned error
Co-authored-by: Jan Larwig <jan@larwig.com>
* Pass provider options to Cidaas provider
Co-authored-by: Jan Larwig <jan@larwig.com>
* Add import for provider options
* Fix tests
* Fix linting
* Add Cidaas doc page
* Add Cidaas provider doc page to overview
* Fix link in docs
* Fix link in docs
* Add link to Cidaas
* fix provider order in docs and changelog position
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Teko012 <112829523+Teko012@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Kevin Kreitner <kevinkreitner@gmail.com>
* add new docs version 7.11.x
* update to release version v7.11.0
* add changelog entry for v7.11.0
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: add feature support for cookie-secret-file
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-Authored-By: Sandy Chen <Yuxuan.Chen@morganstanley.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: Allow use more possible google admin-sdk api scopes.
* reduce cognitive complexity
Signed-off-by: Bob Du <i@bobdu.cc>
* remove unnecessary else block / indentation
Signed-off-by: Jan Larwig <jan@larwig.com>
* add changelog entry
Signed-off-by: Jan Larwig <jan@larwig.com>
* slight formatting and error message rephrasing
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Bob Du <i@bobdu.cc>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Change Dex port in local-environment from 4190 to 5556
Port 4190 is blocked by standards-compliant browsers (e.g. Firefox), as per https://fetch.spec.whatwg.org/#port-blocking.
Port 5556 is used by Dex in its example config files: 745e1114f3/examples/config-dev.yaml (L50)
* Fix upstream in local-environment/oauth2-proxy.cfg
http://httpbin.localtest.me:8080 is only exposed to the host, not to httpbin Docker network.
Causes Bad Gateway before.
* Do not expose unauthenticated httpbin service in local-environment
This defeats the point of having oauth2-proxy.
It has already been misleading by causing the bug fixed in cafc6af48fc38f6fe4395fb0c7e2638bc84e6091.
It serves as a bad example: users might accidentally expose the service they're trying to protect in the first place.
* Remove unnecessary httpbin.localtest.me alias from local-environment
* Allow setting maximum number of csrf cookies, deleting the oldest if necessary
* Add a test for multiple CSRF cookies to remove the old cookie
* Add docs/changelog
* If limit is <=0 do not clear
Signed-off-by: test <bert@transtrend.com>
* Better docs
Co-authored-by: Jan Larwig <jan@larwig.com>
* direct check of option value
Co-authored-by: Jan Larwig <jan@larwig.com>
* direct use of option value
Co-authored-by: Jan Larwig <jan@larwig.com>
* sort based on clock compare vs time compare
Co-authored-by: Jan Larwig <jan@larwig.com>
* clock.Clock does not implement Compare, fix csrf cookie extraction after rename
Signed-off-by: Bert Helderman <bert@transtrend.com>
* Linter fix
* add method signature documentation and slight formatting
Signed-off-by: Jan Larwig <jan@larwig.com>
* fix: test case for csrf cookie limit and flag
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Bert Helderman <bert@transtrend.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: test <bert@transtrend.com>
Co-authored-by: bh-tt <71650427+bh-tt@users.noreply.github.com>
* fix for github teams
* Update github.go
* added errorhandling
* Update github.md
* refactored GitHub provider
refactored hasOrg, hasOrgAndTeams and hasTeam into hasAccess to stay within function limit
* reverted Refactoring
* refactored github.go
- joined hasOrgAndTeamAccess into checkRestrictions
* refactored github.go
- reduced number of returns of function checkRestrictions to 4
* updated GitHub provider to accept legacy team ids
* GoFmt and golangci-lint
Formatted with GoFmt and followed recommendations of GoLint
* added Tests
added Tests for checkRestrictions.
* refactored in maintainer feedback
* Removed code, documentation and tests for legacy ids
* add changelog and update docs
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* docs: clear up multiple-providers is unimplemented
Currently this configuration option is held up by #926. So users don't
assume this solution will work for them, and later find the feature is
not yet implemented -- own the shortcoming clearly.
* doc: add note about missing multi provider implementation to versioned docs
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* add new docs version 7.9.x
* update to release version v7.9.0
* doc: add changelog summary
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Update Go version in devcontainer
* Add option to change response mode in authorization request
* Fix option name
* Update docs and changelog
* Rename config value to underscore
* Add unit tests for added parameter
* Move change to upcoming release
* Generate alpha config
---------
Co-authored-by: Michael Cornel <michael@stieler.it>
* Update gitlab.md with correct url for creating an application
* docs: fix gitlab docs url for oauth2 integration
---------
Co-authored-by: Jan Larwig <jan@larwig.com>
* update to release version v7.8.2
* docs: release letter
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Microsoft Entra ID Provider
* fix typo in function name
* documentation tweaks
* documentation and comment tweak
* docs tweaks
* final tweaks
* refactor: drop flag for skipping graph groups
* update legacy / deprecated provider page and sort provider overview
* reformat
* move entra-id provider into switch (treat like every other provider
* fix test case and reformat
* fix sidebar configuration
* apply review suggestions
* add pagination for graph api
* fix: do not error when groups unable to retrieve
* doc: number of groups fix
* restore master packages
* docs: tiny docs tweak
* address review comments
* fix codegen
---------
Co-authored-by: tuunit <jan@larwig.com>
The original example only protected the root (`/`) path, leaving other routes unsecured.
* docs: add syntax highlighting for nginx config
* docs: fix headings in `configuration/integration` page
* docs: fix redirect in caddy configuraion example
* new readme structure
* add adopters file
* add microsoft sponsorship
* add reference to adopter file
* add gopher slack invite link
* slightly rephrase nightly image section
* add sponsor request for action
* better formatting for contributor wall
* add longer wait time for stale PRs and issues and allow for exemption through bug and high-priority labels
* apply review suggestion
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Xiaobao
Schmitt Paul
Vincent Privat
David Symonds
Conrad Hoffmann
github-actions[bot]
Richard Brežák
jet
Kevin Kreitner
Sourav Agrawal
Sandy Chen
Bob Du
Simmo Saan
Jan Larwig
renovate[bot]
Daniel Mersch
Evan Carroll
Michael Niksa
Justin Ryan
Michael Cornel
Copolycube
Alexander Votteler
axel7083
JJ Łakis
Jon Newton
ciffelia
Jacek J. Łakis
Ondrej Sika
Benjamin Cremer
Joel Speed