public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
1,404 Commits 29 Branches 41 Tags 50 MiB
Commit Graph

253 Commits

Author SHA1 Message Date
Joel Speed 630db3769b
Merge branch 'master' into refactor 2019-07-15 11:30:43 +01:00
Henry Jenkins aa37564655
Merge branch 'master' into banner-flag 2019-07-02 14:03:21 +01:00
Henry Jenkins 924eab6355 Adds banner flag 
This is to override what's displayed on the main page.
 2019-06-25 16:41:51 +01:00
Henry Jenkins d24aacdb5c Fix lint errors 2019-06-23 21:39:13 +01:00
Brian Van Klaveren bd651df3c2 Ensure groups in JWT Bearer tokens are also validated 
Fix a minor auth logging bug
 2019-06-20 13:40:04 -07:00
Brian Van Klaveren 5a50f6223f Do not infer username from email 2019-06-17 12:58:40 -07:00
Brian Van Klaveren 2f6dcf3b5f Move refreshing code to block acquiring cookied session 2019-06-17 12:52:44 -07:00
Brian Van Klaveren 58b06ce761 Fall back to using sub if email is none (as in PR #57) 2019-06-17 12:52:13 -07:00
Brian Van Klaveren 187960e9d8 Improve token pattern matching 
Unit tests for token discovery
 2019-06-17 12:52:13 -07:00
Brian Van Klaveren 8083501da6 Support JWT Bearer Token and Pass through 2019-06-17 12:51:35 -07:00
Joel Speed 6366690927
Fix gofmt for changed files 2019-06-15 11:34:00 +02:00
Joel Speed fb9616160e
Move logger to pkg/logger 2019-06-15 11:33:58 +02:00
Joel Speed d1ef14becc
Move cookie to pkg/encryption 2019-06-15 11:33:57 +02:00
Adam Eijdenberg d69560d020 No need for case when only 2 conditions 2019-06-15 18:48:27 +10:00
Adam Eijdenberg f35c82bb0f The AuthOnly path also needs the response headers set 2019-06-07 14:25:12 +10:00
Adam Eijdenberg 9e59b4f62e Restructure so that serving data from upstream is only done when explicity allowed, rather 
than as implicit dangling else
 2019-06-07 13:50:44 +10:00
Joel Speed 093f9da881
Move cipher creation to options and away from oauth2_proxy.go 2019-05-20 11:26:13 +02:00
Joel Speed 37e31b5f09
Remove dead code 2019-05-20 11:26:11 +02:00
Joel Speed c61f3a1c65
Use SessionStore for session in proxy 2019-05-20 11:26:10 +02:00
Joel Speed fbee5eae16
Initialise SessionStore in Options 2019-05-20 11:26:04 +02:00
Joel Speed 2ab8a7d95d
Move SessionState to its own package 2019-05-18 13:09:56 +02:00
timothy-spencer 1a8bd70b46
fixing code redemption error string logging 2019-05-07 10:47:15 -07:00
Mister Wil 9eaa9fdcbf
Standardizing log messages to colons 2019-04-23 09:36:18 -07:00
MisterWil d77119be55 Merging changes 2019-04-12 09:26:44 -07:00
MisterWil c22731afa0 Fixed linting errors. 2019-04-12 08:59:46 -07:00
MisterWil 37c415b889 Self code review changes 2019-04-12 08:59:46 -07:00
MisterWil 8ec025f536 Auth and standard logging with file rolling 2019-04-12 08:59:46 -07:00
Costel Moraru 071d17b521 Expose -cookie-path as configuration parameter 2019-04-10 00:36:35 +03:00
gyson 978c0a33e4 Improve websocket support 2019-03-22 17:19:38 -04:00
Patrick Koenig 6f9eac5190
Set redirect URL path when host is present 2019-03-20 09:25:04 -07:00
einfachchr f715c9371b Fixes deletion of splitted cookies - Issue #69 (#70) 
* fixes deletion of splitted cookies

* three minor adjustments to improve the tests

* changed cookie name matching to regex

* Update oauthproxy.go

Co-Authored-By: einfachchr <einfachchr@gmail.com>

* removed unused variable

* Changelog
 2019-03-15 07:18:37 +00:00
Joel Speed e195a74e26
Revert OAuthCallbackPath 2019-03-12 16:46:37 +00:00
Adam Szalkowski c7193b4085 Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com> 2019-03-11 14:05:16 +01:00
dt-rush 549766666e fix redirect url param handling (#10) 
* Added conditional to prevent user-supplied redirect URL getting
clobbered

Change-type: patch

* use redirectURL as OAuthCallbackURL (as it should be!)

Change-type: patch
 2019-03-05 14:58:26 +00:00
David Holsgrove 2280b42f59 Access token forwarding through nginx auth request (#68) 
* Access token forwarding through nginx auth request

Related to #420.

(cherry picked from commit b138872bea)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Improved documentation for auth request token

(cherry picked from commit 6fab314f72)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Update README.md

Example should set header as `X-Access-Token`

Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>

* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68

* Fix Changelog message location
 2019-02-22 07:49:57 +00:00
Joel Speed fb13ee87c8
Merge pull request #34 from marratj/cookie-separator 
Change cookie index separator to underscore
 2019-02-03 13:21:51 +00:00
Joel Speed fa2545636b
Merge pull request #15 from pusher/whitelist-domains 
Whitelist domains
 2019-02-02 18:55:37 +00:00
Marcel Juhnke a339baf94e change cookie index separator to underscore 2019-01-31 20:07:28 +01:00
Cosmin Cojocar 3326194422 Extract the application/json mime type into a const 2019-01-31 16:23:01 +01:00
Cosmin Cojocar c12db0ebf7 Returns HTTP unauthorized for ajax requests instead of redirecting to the sing-in page 2019-01-31 16:23:01 +01:00
Steve Arch 01c5f5ae3b Implemented flushing interval (#23) 
* Implemented flushing interval

When proxying streaming responses, it would not flush the response writer buffer until some seemingly random point (maybe the number of bytes?). This makes it flush every 1 second by default, but with a configurable interval.

* flushing CHANGELOG

* gofmt and goimports
 2019-01-31 14:02:15 +00:00
Joel Speed bc4d5941fc
Remove duplicated logic 2019-01-30 17:30:48 +00:00
Joel Speed 2a1691a994
Add whitelist domains flag 2019-01-30 17:30:40 +00:00
Steve Arch 090ff11923 redirect to original path after login (#24) 
* redirect to original path after login

* tests for new redirect behaviour

* fixed comment

* added redirect fix to changelog
 2019-01-29 12:13:02 +00:00
Joel Speed 714e2bdfba
Fix cookie split should account for cookie name 2019-01-22 11:34:55 +00:00
Joel Speed d4b588dbe9
Split large cookies 2019-01-22 11:34:54 +00:00
Joel Speed 68d4164897
Add Authorization header flags 2019-01-22 11:34:23 +00:00
Joel Speed d37cc2889e
Fix err declaration shadowing 2018-12-20 10:46:19 +00:00
Joel Speed ee913fb788
Add comments to exported methods for root package 2018-12-20 09:30:42 +00:00
Joel Speed 8ee802d4e5
Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00
Joel Speed 847cf25228
Move imports from bitly to pusher 2018-11-27 11:45:05 +00:00
Pierce Lopez 74d0fbc868 more robust ClearSessionCookie() 
default domain changed from request Host to blank, recently
try to clear cookies for both
 2017-12-18 21:16:51 -05:00
Carlo Lobrano 731fa9f8e0 Github provider: use login as user 
- Save both user and email in session state:
    Encoding/decoding methods save both email and user
    field in session state, for use cases when User is not derived from
    email's local-parth, like for GitHub provider.

    For retrocompatibility, if no user is obtained by the provider,
    (e.g. User is an empty string) the encoding/decoding methods fall back
    to the previous behavior and use the email's local-part

    Updated also related tests and added two more tests to show behavior
    when session contains a non-empty user value.

- Added first basic GitHub provider tests

- Added GetUserName method to Provider interface
    The new GetUserName method is intended to return the User
    value when this is not the email's local-part.

    Added also the default implementation to provider_default.go

- Added call to GetUserName in redeemCode

    the new GetUserName method is used in redeemCode
    to get SessionState User value.

    For backward compatibility, if GetUserName error is
    "not implemented", the error is ignored.

- Added GetUserName method and tests to github provider.
 2017-11-20 20:02:27 +01:00
Mike Bland e241fe86d3
Switch from 18F/hmacauth to mbland/hmacauth 
Since I'm no longer with 18F, I've re-released hmacauth under the ISC
license as opposed to the previous CC0 license. There have been no
changes to the hmacauth code itself, and all tests still pass.
 2017-11-07 07:55:24 -05:00
Jehiah Czebotar bfda078caa Merge pull request #376 from reedloden/make-cookie-domain-optional 
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
 2017-10-23 14:14:45 -04:00
Alan Braithwaite b640a69d63 oauthproxy: fix #284 -skip-provider-button for /sign_in route 2017-06-21 15:05:36 -07:00
Reed Loden b6bd878f27 Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes 
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies
if the `__Host-` prefix is used
(https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2).

There's no need to set it to the host by default, so make it optional. If it is
set to a non-empty value, still output a warning if it is not a suffix of the
host, as that's likely not wanted.

Fixes #352.
 2017-04-24 13:03:40 -07:00
idntfy 1e7d2a08a3 #369: Optionally allow skipping authentication for preflight requests 2017-04-07 15:01:47 +03:00
Sjoerd Mulder 90a22b2f39 Use X-Auth-Request-Redirect request header in sign-in page 
This is useful in Nginx auth_request mode, if a 401 handler is
configured to redirect to the sign-in page. As the request URL
does not reflect the actual URL, the value is taken from the
header "X-Auth-Request-Redirect" instead. Based on #247
 2017-03-29 21:28:55 +05:30
Lukasz Siudut 829b442302 add --set-xauthrequest flag for use in Nginx auth_request mode 
This is enhancement of #173 to use "Auth Request" consistently in
the command-line option, configuration file and response headers.
It always sets the X-Auth-Request-User response header and if the
email is available, sets X-Auth-Request-Email as well.
 2017-03-29 21:28:55 +05:30
Jehiah Czebotar c5fc7baa86 gofmt 2017-03-29 09:36:38 -04:00
Colin Arnott 55085d9697 csrf protection; always set state 2017-03-29 09:31:10 -04:00
Jehiah Czebotar 6c690b699b Merge pull request #339 from omazhary/issue-205 
Allow to pass user headers only
 2017-03-28 21:42:29 -04:00
Jehiah Czebotar 107b4811b4 Merge pull request #346 from bdwyertech/patch-1 
Oversize Cookie Alert
 2017-03-28 21:40:11 -04:00
Colin Arnott 289a6ccf46 add check for //.* to prevent open redirect during oauth 2017-03-28 21:12:33 -04:00
Guillaume Bienkowski 562cc2e466 [signout] Implement logout endpoint 2017-03-21 17:40:47 +01:00
Brian Dwyer 3379e05fec Oversize Cookie Alert 
Cookies cannot be larger than 4kb
 2017-02-23 18:48:34 -05:00
Omar Elazhary 24f91a0b60 Allow to pass user headers only (issue #205) 
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
 2017-01-24 11:11:58 +01:00
Jehiah Czebotar cdebfd6436
base64 cookie support 2016-06-20 07:45:43 -04:00
Jehiah Czebotar 57f82ed71e
Custom footer text (optional) 
Closes #256 and #166
 2016-06-18 23:54:32 -04:00
Jehiah Czebotar 168cff9d4b Merge pull request #161 from rahdjoudj/master 
adding option to skip provider button sign_in page
 2016-06-18 23:31:39 -04:00
Pranay Kanwar f957a1e435 Validate state param while redirecting 2016-01-19 13:14:16 +05:30
Mike Bland e4626c1360 Sign Upstream requests with HMAC. closes #147 2015-11-15 22:09:30 -05:00
Reda Ahdjoudj 35547a40cb adding option to skip provider button sign_in page 2015-11-11 11:42:35 +11:00
Mike Bland 462f6d03d2 Extract Authenticate for Proxy, AuthenticateOnly 2015-11-09 10:32:16 -05:00
Mike Bland e61fc9e7a6 Add /auth endpoint to support Nginx's auth_request 
Closes #152.
 2015-11-09 10:31:41 -05:00
Brandon Philips 6db18804f3 *: rename Oauth to OAuth 
Be consistent with Go capitalization styling and use a single way of
spelling this across the tree.
 2015-11-09 00:57:01 +01:00
Brandon Philips 1ff2fce25b oauthproxy: rename Uri to URI 
Be consistent with Go coding style for acroynyms.
 2015-11-09 00:50:42 +01:00
Brandon Philips 51a2e4e48c *: rename Url to URL everywhere 
Go coding style says that acronyms should be all lower or all upper. Fix
Url to URL.
 2015-11-09 00:47:44 +01:00
John Boxall a653c3eeeb Pass `ProxyPrefix` into the error template. 
The default `error.html` uses `ProxyPrefix` but it isn't supplied in the context, causing it to error.
 2015-10-03 15:59:47 -07:00
Jeppe Toustrup ffeccfe552 Add support for serving static files from a directory 
The path should be provided as a file:// url with the full operating system path.
An alias to where the directory is available as can be specified by appending
a fragment (ie. "#/static/") at the end of the URL.
 2015-09-24 15:37:45 +02:00
Justin Burnham 3fd8f911c2 google: Support restricting access to a specific group(s) 2015-09-09 02:10:32 -07:00
Justin Burnham 7dd5d299e1 Add support for setting the basic auth password. 
For tools that don't like empty passwords, this change allows
one to set a shared secret password for all users.
 2015-07-24 09:17:43 +00:00
mattk42 6cd3e72e09 Check email validity on all requests rather than only on login/refresh 2015-07-14 08:40:59 -06:00
Jehiah Czebotar d49c3e167f SessionState refactoring; improve token renewal and cookie refresh 
* New SessionState to consolidate email, access token and refresh token
* split ServeHttp into individual methods
* log on session renewal
* log on access token refresh
* refactor cookie encription/decription and session state serialization
 2015-07-02 23:09:11 -04:00
Jehiah Czebotar 8d50b372e4 immediately redeem refresh token for provider==Google 2015-06-23 13:56:14 -04:00
Jehiah Czebotar e9b5631eed cookie refresh: validation fixes, interval changes 
* refresh now calculated as duration from cookie set
 2015-06-23 07:51:00 -04:00
Jehiah Czebotar d78aa13464 v2.0 & cleanup changes 
* bump version to 2.0
* remove --cookie-https-only option
* add windows build to dist.sh
* rename --cookie-key to --cookie-name
 2015-06-12 13:07:26 -04:00
Jehiah Czebotar f5b2b20f67 support TLS directly 2015-06-07 23:14:48 -04:00
Jehiah Czebotar f5db2e1ff7 More complete HTTP error logging 2015-06-07 21:03:53 -04:00
Jehiah Czebotar 56d19b1c84 disable email validation; rename email-domain argument 
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
 2015-06-06 14:37:54 -04:00
tonymeng c5ccd43767 Enable specific oauth2proxy path; change cookie name to _oauth2proxy 2015-06-06 14:21:42 -04:00
Jehiah Czebotar b96a078839 Project Rename -> oauth2_proxy 2015-05-21 02:55:04 -04:00
Jehiah Czebotar 37b38dd2f4 Github provider 2015-05-21 02:21:19 -04:00
Mike Bland 8471f972e1 Move ValidateToken() to Provider 2015-05-21 02:06:23 -04:00
Jehiah Czebotar 9047920e90 Merge pull request #88 from 18F/auto-refresh 
Auto refresh auth token
 2015-05-11 22:24:50 -04:00
Mike Bland 5b07d9fcef Provide a robots.txt that denies all crawlers 2015-05-10 15:15:52 -04:00
Mike Bland 37f287bef4 Calculate cookie expiration from encoded timestamp 
Found out the hard way that _incoming_ cookies do _not_ have their expiration
timestamps encoded. To perform auto-refresh based on expiration time, we have
to recalculate it from the time encoded in the cookie value.
 2015-05-10 00:11:26 -04:00
Mike Bland 8ec967ac32 Check cookie_secret size when cookie_refresh set 2015-05-09 17:37:33 -04:00
Mike Bland 84190ab19a Validate user during cookie refresh 2015-05-09 16:54:27 -04:00
Mike Bland 610341a068 Make ProcessCookie() fail when cookie parse fails 2015-05-09 16:54:27 -04:00
Mike Bland bd4eae8fec Store access token when cookie-refresh is set 
cookie-refresh now no longer requires pass-access-token in order to work.
 2015-05-09 16:54:27 -04:00
Mike Bland b6e07d51b2 Validate access_token when auto-refreshing cookie 2015-05-09 15:09:31 -04:00
Mike Bland 25372567ac ValidateToken() to check access_token validity 2015-05-09 13:17:37 -04:00
Mike Bland 72857018ee Introduce `validate-url` flag/config 2015-05-08 17:13:35 -04:00
Mike Bland 8e2d83600c Implement cookie auto-refresh 
The intention is to refresh the cookie whenever the user accesses an
authenticated service with less than `cookie-refresh` time to go before the
cookie expires.
 2015-05-08 14:05:09 -04:00
Mike Bland f554f99abd Ensure all errors are logged in ProcessCookie() 2015-05-08 14:05:09 -04:00
Mike Bland beed9fb9a2 Extract MakeCookie() 2015-05-08 14:05:09 -04:00
Mike Bland 1bd90cefe7 Extract ProcessCookie() from ServeHTTP() 2015-05-08 12:41:22 -04:00
Mike Bland 9887ac3be5 Refactor cookie building and parsing 
Extracts buildCookieValue() and parseCookieValue() from OauthProxy.ServeHTTP()
and adds tests for both.
 2015-04-07 05:53:41 -04:00
Mike Bland cf79fd9e4c Refactor pass_access_token+cookie_secret check 
Moves the check from NewOauthProxy() to Options.Validate() and adds a test.
 2015-04-07 05:53:40 -04:00
Mike Bland 5f747bb768 Redirect to / when /oauth2/sign_in accessed 
Without this change, clicking the sign-in button on /oauth2/sign_in will
always redirect back to /oauth2/sign_in, essentially creating an infinite
loop.
 2015-04-06 22:10:03 -04:00
Mike Bland ad3c9a886f Pass the access token to the upstream client 
This is accomplished by encoding the access_token in the auth cookie and
unpacking it as the X-Forwarded-Access-Token header for upstream requests.
 2015-04-03 15:32:01 -04:00
Mike Bland 666e6ad436 Add ProviderName field; use in sign_in template 2015-03-31 12:59:07 -04:00
Mike Bland d9a945ebc3 Integrate Provider into Options and OauthProxy 2015-03-31 09:34:50 -04:00
Mike Bland 45286af4a4 s/18F/bitly/ in import path 2015-03-30 11:42:37 -04:00
Mike Bland 9d8f932797 Extract api package 
This is the first step towards genericizing the google_auth_proxy to support
OAuth2 providers other than Google as discussed in #65. The `api` package will
enable multiple providers to use the same `api.Request()` implementation.
 2015-03-30 10:23:30 -04:00
Jehiah Czebotar 16f2c981f3 fix upstream request path 2015-03-21 15:29:07 -04:00
Jehiah Czebotar b9b5e817fc improve request logging (closer to Apache Common Log) 2015-03-19 22:34:01 -04:00
Jehiah Czebotar 07c74f55c6 improve handling of cookie domains 2015-03-19 16:18:02 -04:00
Jehiah Czebotar de04e0c519 rename cookie secure flag 2015-03-19 14:08:17 -04:00
Jehiah Czebotar ebae065b11 make redirect_uri optional 2015-03-19 14:03:05 -04:00
Jehiah Czebotar 71ae70834d pass raw unencoded request URI upstream 2015-03-19 13:18:49 -04:00
Jehiah Czebotar 2b2324e410 support (optional) custom templates 2015-03-17 18:11:58 -04:00
Jehiah Czebotar 263e16eeea add --proxy-host-header option 2015-03-17 15:53:01 -04:00
John Boxall 24ef555547 Requests are proxied to the Host specified by the target. 2015-03-17 15:04:27 -04:00
John Boxall 20a152261c Adds failing test for using upstream Host header. 2015-03-17 15:04:27 -04:00
Jehiah Czebotar 601ae6f4ec Merge pull request #60 from tomtaylor/gofmt-fixes 
Run gofmt over source
 2015-01-19 12:48:57 -05:00
Tom Taylor 5201f26ffc Run gofmt over source. 2015-01-19 16:10:37 +00:00
Tom Taylor 132e3d91d6 Add flag to enable/disable cookie's HttpOnly flag. 2015-01-19 16:00:49 +00:00
vishnu chilamakuru c4d25d271f Adding Support for multi white listed urls with regex url match. 2015-01-12 14:48:41 +05:30
drew 69804e588a Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 14:38:57 -06:00
Jehiah Czebotar 1f515eba3c options bug fixes; set https cookies on by default 2014-11-09 22:21:46 -05:00
Jehiah Czebotar a49eadadeb template updates to display version 2014-11-09 22:01:50 -05:00
Jehiah Czebotar 9060feb436 better environment parsing 2014-11-09 21:12:36 -05:00
Jehiah Czebotar d4fe9a4f57 Add config file support 2014-11-09 20:33:12 -05:00
Jehiah Czebotar bc26835076 always set httponly (there is no good reason not to); simplify httponly and expire flags 2014-11-08 14:32:35 -05:00
Igor Dolgiy 6cdf05e7f2 Added cookie settings 2014-11-08 13:35:45 -05:00
Jehiah Czebotar 23a89b06de Merge pull request #22 from dbrgn/empty_upstream_path 
Handle upstreams without a trailing slash
 2014-11-08 19:17:44 +01:00
Roger Hu ec9c11ed28 Pass in the original email address too as X-Forwarded-Email. 2014-11-08 07:33:14 -08:00
Jason Swank 1e29aa1c12 Make /ping endpoint respond with "OK" 2014-10-14 17:05:59 -04:00
Jason Swank 8702ad2e52 Add /ping endpoint 2014-10-14 16:22:38 -04:00
Jehiah Czebotar 98fb800de4 update to new scopes 2014-08-07 20:49:28 +00:00
Danilo Bargen b3bbc3ca20 Handle upstreams without a trailing slash 2014-07-08 15:06:41 +02:00
Danilo Bargen cfe186d6cb Fixed wrong error message 2014-07-08 14:07:07 +02:00
Sean O'Connor 11ce460209 Updated redirect arg handling to only happen when needed. 2013-10-24 17:40:29 +00:00
Sean O'Connor d2b1815d43 After authentication, redirect to original URI. 2013-10-23 20:29:39 +00:00
Jehiah Czebotar c97de52200 handle sign in directly (if using htpasswd) 2012-12-26 18:26:03 +00:00
Jehiah Czebotar 4367e47a46 don't promote htpasswd auth; auth directly 2012-12-26 16:55:20 +00:00
Jehiah Czebotar c459806ab0 promote basic auth to cookie 2012-12-26 10:35:02 -05:00