Filtering `/dev/urandom` for alphanumeric characters resulted in loss of
input entropy to base64. Fixing this using a procedure with these steps:
* Read 32 bytes from `/dev/urandom` (`dd`)
* Base64-encode (`base64`)
* Strip newlines (`tr -d`)
* URL-Escape (`tr`)
* Append a final newline (`echo`)
This output should be equivalent to output generated using Python and
OpenSSL variants mentioned in the changed document file.
Newlines are stripped as `base64` wraps its output and the option to
disable this (`-w 0`) is not available in all implementations.
Fixes: #1511
You must explicitly configure oauth2-proxy (alpha config only) with which parameters are allowed to pass through, and optionally provide an allow-list of valid values and/or regular expressions for each one. Note that this mechanism subsumes the functionality of the "prompt", "approval_prompt" and "acr_values" legacy configuration options, which must be converted to the equivalent YAML when running in alpha config mode.
* implementation draft
* add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options
* refactor configs, added logging and add additional claim verification
* simplify logic by just having one configuration similar to oidc-email-claim
* added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers
* refactored verification to reduce complexity
* refactored verification to reduce complexity
* added docs
* adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options
* extend unit tests and ensure that audience is set with the value of aud claim configuration
* revert filemodes and update docs
* update docs
* remove unneccesary logging, refactor audience existence check and added additional unit tests
* fix linting issues after rebase on origin/main
* cleanup: use new imports for migrated libraries after rebase on origin/main
* adapt mock in keycloak_oidc_test.go
* allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation
* fixed formatting issue
* do not pass the whole options struct to minimize complexity and dependency to the configuration structure
* added changelog entry
* update docs
Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com>
Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
* Remove the information about `Microsoft Azure AD`
* Put `proxy_buffer_size` in a code tag
* Update `CHANGELOG.md`
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
I was recently looking into the order in which oauth2-proxy evaluates it configuration options from the various sources.
I think this will also be helpful for other users.
Since oauth2-proxy is using viper, the order of configuration sources is as follows [1]:
> Viper uses the following precedence order. Each item takes precedence over the item below it:
>
> explicit call to Set
> flag
> env
> config
> key/value store
> default
[1] https://github.com/spf13/viper/blob/master/README.md#why-viper
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
The previous code didn't consider other languages and hid the output of failures. For example
```
$ LANG=es_ES.UTF-8 sha256sum -c sha256sum.txt
oauth2-proxy-v7.1.3.linux-amd64/oauth2-proxy: La suma coincide
```
* Set and verify a nonce with OIDC
* Create a CSRF object to manage nonces & cookies
* Add missing generic cookie unit tests
* Add config flag to control OIDC SkipNonce
* Send hashed nonces in authentication requests
* Encrypt the CSRF cookie
* Add clarity to naming & add more helper methods
* Make CSRF an interface and keep underlying nonces private
* Add ReverseProxy scope to cookie tests
* Align to new 1.16 SameSite cookie default
* Perform SecretBytes conversion on CSRF cookie crypto
* Make state encoding signatures consistent
* Mock time in CSRF struct via Clock
* Improve InsecureSkipNonce docstring
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.
* fixed lint issues
* additional lint fixes
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* fixed typo
* removed weird : file
* small CR changes
* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG
* Update pkg/apis/options/providers.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/apis/options/providers.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/apis/options/providers.go
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.
* fixed lint issues
* additional lint fixes
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* small CR changes
* auto generates alpha_config.md
* rebase (mainly service alpha options related conflicts)
* removed :
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* small CR changes
* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG
* "cntd. rebase"
* ran make generate again
* last conflicts
* removed duplicate client id validation
* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0
* fixed TestGoogleGroupOptions test
* ran make generate
* moved CHANGLOG line to 7.1.1
* moved changelog comment to 7.1.2 (additional rebase)
Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Add RequestID to the RequestScope
* Expose RequestID to auth & request loggers
* Use the RequestID in templated HTML pages
* Allow customizing the RequestID header
* Document new Request ID support
* Add more cases to scope/requestID tests
* Split Get vs Generate RequestID funtionality
* Add {{.RequestID}} to the request logger tests
* Move RequestID management to RequestScope
* Use HTML escape instead of sanitization for Request ID rendering
* GH-1015 Adds support for Traefik to OauthStart on '/oauth2/auth' endpoint
* Fix incorrect reference to signout path and point to signin path
- remove commented out alternative solutions and debug log statements
* Remove skip provider button check as SignIn method already does this
* Updated traefik example to match existing file configuration reference, updated tests
* Update doc and refactor nested conditional statements
* Revert code changes as static upstream provides the same functionality
- Add doc on using static upstream with Traefik ForwardAuth middleware
* update changelog
* Move the doc changes to 7.0.x versioned docs
* Re-add traefik docs update in the main docs overview.md
* add missing oauth2-proxy routing
Co-authored-by: Praveen Chinthala <PraveenChinthala@hollandandbarrett.com>
Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.
Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy
Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
* Fix and enhance OIDC example
* Restructure
* Indent
* Add full stop.
* Add link
* Add minimalistic README
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add support for gitlab projets
* Add group membership in state
* Use prefixed allowed groups everywhere
* Fix: remove unused function
* Fix: rename func that add data to session
* Simplify projects and groups session funcs
* Add project access level for gitlab projects
* Fix: default access level
* Add per project access level
* Add user email when missing access level
* Fix: harmonize errors
* Update docs and flags description for gitlab project
* Add test with both projects and groups
* Fix: log error message
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix: make doc a markdown link
* Add notes about read_api scope for projects
* Fix: Verifier override in Gitlab Provider
This commit fixes a bug caused by an override of the Verifier value from *ProviderData inside GitlabProvider struct
* Fix: ensure data in session before using it
* Update providers/gitlab.go
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Rename gitlab project initializer
* Improve return value readbility
* Use splitN
* Handle space delimiters in set project scope
* Reword comment for AddProjects
* Fix: typo
* Rework error handling in addProjectsToSession
* Reduce branching complexity in addProjectsToSession
* Fix: line returns
* Better comment for addProjectsToSession
* Fix: enrich session comment
* Fix: email domains is handled before provider mechanism
* Add archived project unit test
* Fix: emails handling in gitlab provider
Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Document set_xauthrequest with pass_access_token
Document feature implemented in https://github.com/oauth2-proxy/oauth2-proxy/pull/68
The feature is already decribed in in the nginx example but not clearly
on each respective parameters documentation.
* Update docs/configuration/configuration.md
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Home: Add a brief description of the behavior
I could not find this information anywhere and think it is quite important for understanding how to use and configure the proxy for different use cases.
(Especially the Ajax part is not mentioned anywhere else I believe.)
I tried to keep it general enough so that it won't need updating often yet useful enough to have good value :)
* Update docs/0_index.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Strip X-Forwarded auth headers from whitelisted paths
For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).
Only x-Forwarded headers stripped, left the Authorization header
untouched.
* Strip authorization header if it would be set
* Improve TestStripAuthHeaders test table
* Improve --skip-auth-strip-headers flag documentation
* Implements --ip-whitelist option
* Included IPWhitelist option to allow one-or-more selected CIDR ranges
to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.
* Renamed IPWhitelist ipCIDRSet
* Fixed unessesary pointer usage in ipCIDRSet
* Update CHANGELOG.md
* Update CHANGELOG.md
* Updated to not use err.Error() in printf statements
* Imrpoved language for --ip-whitelist descriptions.
* Improve IP whitelist options error messages
* Clarify options single-host normalization
* Wrote a book about ipCIDRSet
* Added comment to IsWhitelistedIP in oauthproxy.go
* Rewrite oauthproxy test case as table driven
* oops
* Support whitelisting by low-level remote address
* Added more test-cases, improved descriptions
* Move ip_cidr_set.go to pkg/ip/net_set.go
* Add more whitelist test use cases.
* Oops
* Use subtests for TestIPWhitelist
* Add minimal tests for ip.NetSet
* Use switch statment
* Renamed ip-whitelist to whitelist-ip
* Update documentation with a warning.
* Update pkg/apis/options/options.go
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* fix fmt
* Move ParseIPNet into abstraction
* Add warning in case of --reverse-proxy
* Update pkg/validation/options_test.go
* Rename --whitelist-ip to --trusted-ip
* Update oauthproxy.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* fix
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Changed how gitlab-group is parsed, from string to []string
See #637
* Point out that gitlab-group can be a list
See #637
* Reflect to the []string change on pkg/apis/options/options.go
See #637
* Move cfg option gitlab_group to gitlab_groups
See #637
* Renamed Group to Groups
See #637
* Reflect the change on gitlab.go as well
See #637
* Added #639
* Added the author of #639 to the CHANGELOG
* Add the gitlab_groups env change to CHANGELOG.md
See #639
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Adding one more example - keycloak - alongside with dex IDP.
* don't expose keycloak and proxy ports to the host
* specify email-domain list option in documentation
* get rid of nginx and socat to simplify the example as per https://github.com/oauth2-proxy/oauth2-proxy/pull/604#issuecomment-640054390
* get rid of the scripts - use static file for keycloak startup
* changelog entry
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add an option to allow health checks based on User-Agent.
* Formatting fix
* Rename field and avoid unnecessary interface.
* Skip the redirect fix so it can be put into a different PR.
* Add CHANGELOG entry
* Adding a couple tests for the PingUserAgent option.
Simon Hollenbach
Joel Speed
Ian Roberts
Michael Hienle
Kevin Schu
Valentin Pichard
polarctos
ThomasKalten
Ole-Martin Bratteng
Jack Henschel
Jan Garaj
Adam Stephens
Luka Zakrajšek
Matt Cote
Fabian Stelzer
Miks Kalnins
Peter Braun
wassan128
Ian Hunter
Sami Racho
Robin Tweedie
Frederic Pape
Nick Meves
Weinong Wang
yanasega
Oliver
Stefan Sedich
Praveen Chinthala
Sean Jones
Aleksander Stelmaczonek
Wilfried OLLIVIER
İlteriş Eroğlu
Kirill Müller
Mathieu Lecarme
Halvard Mørstad
Jakub Holy
Philippe Pepiot
Mitsuo Heijo
blz-ea
Lennart Jern
Aurélien LAJOIE
Tomoyuki KOYAMA
Phil Taprogge
Ryan Schmidt
devopsix
mkontani
Isabelle COWAN-BERGMAN
Jonathan Herlin
k-wall
Evgeni Gordeev
Christopher Kohnert
Yoshiki Nakagawa
dependabot[bot]
Amnay