When using sockets to pass data between e.g. nginx and oauth2-proxy it's
simpler to use sockets. Systemd can even facilitate this and pass the
actual socket directly.
This also means that only the socket runs with the same group as nginx
while the service runs with DynamicUser.
Does not support TLS yet.
nginx
```
server {
location /oauth2/ {
proxy_pass http://unix:/run/oauth2-proxy/oauth2.sock;
}
```
oauth2-proxy.socket
```
[Socket]
ListenStream=%t/oauth2.sock
SocketGroup=www-data
SocketMode=0660
```
Start oauth2-proxy with the parameter `--http-address=fd:3`.
Signed-off-by: Josef Johansson <josef@oderland.se>
* Issue 2311: runtime error: index out of range [0] with length 0 while extracting state of of the csrf
---------
Co-authored-by: tuunit <jan@larwig.com>
* feat: Replace default Go user-agent with oauth2-proxy and version
* Add to CHANGELOG
* Make userAgentTransport configurable and composable
* Use correct naming convention for DefaultHTTPClient
* Move version to own package and use named arguments
* Update version path in Makefile
* Fix import path in Makefile
* Change importpath in dist.sh
* Minor style issues
By using the context created by the test, the goroutines produced in
http.Client is actually closed when cancelled and such, not leaked.
Signed-off-by: Josef Johansson <josef86@gmail.com>
* Session aware logout, backend logout url approach
* Add CHANGELOG.md and documentation for #1876
* Proper http handling and case change for golint compliance
* Update alpha_config.md
* Fix case conformity
* Change placeholder from ${id_token} to {id_token}
As this should be specified in a URL and curly braces should be escaped as %7b and %7d, therefore using {} shouldn't be an issue
* Apply suggestions from code review
Co-authored-by: Jan Larwig <jan@larwig.com>
* Add other suggestions
* Add suggestions and move background logout to generic provider
* Changelog updated
* Update oauthproxy.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add comment for gosec, remove sensitive data from log
---------
Co-authored-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* chore: bump go to version 1.21
update all depedencies as well
* fix linting issues based on golang 1.20 deprecations
* cleanup go depedencies
* add custom gomega matcher for option intefaces
* revert and upgrade golangci-lint to 1.55.2
* fix lint issues for v1.55.2 of golangci-lint
* fix toml loading test
* remove second runspecs call
* update go.sum
* revert testutil package
* added envsubstring package and added simple test cases.imple tests.
* added documentation
* added changelog entry
* added documentation to wrong file
.
* changed tests to ginkgo format
* update project to use better maintained library
* use defer to clear test variable after tests finished
* updated docs for the new package documentation and fixed bad english
* refactored function to "reduce" complexity.
* updated changelog for new version
updated readme
* minor formatting
---------
Co-authored-by: Haydn Evans <h.evans@douglas.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Log error details when failed loading CSRF cookie
* Add a record about this PR to CHANGELOG.md
---------
Co-authored-by: Ondrej Charvat <ondrej.charvat@yunextraffic.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Create sha256sum for tar instead of binary
* chore: Add checksum for binary
* chore: Updated changelog
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add possibility to encode the state param as UrlEncodedBase64
* Update CHANGELOG.md
* Update oauthproxy.go
Co-authored-by: Jan Larwig <jan@larwig.com>
---------
Co-authored-by: Jan Larwig <jan@larwig.com>
* update go-jose dependency by switching gopkg.in/square/go-jose.v2
with github.com/go-jose/go-jose/v3
* updated `CHANGELOG.md` with entry for PR #2356
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add GitHub groups (orgs/teams) support
* align code of getTeams with getOrgs to support Github Enterprise Server instances with different domain
* add documentation
* add missing import after rebase
* add nightly build and push (#2297)
* add nightly build and push
* add date based nightly build tags
* only keep single multiarch image build and push
* add changelog
* add images to internal docs static files
* add docu for nightly builds
* remove unnecessary spaces
* update nightly repository
* Issue 978: Fix Custom cookie name breaks redis for session (#1949)
* Issue 978: Fix Custom cookie name breaks redis for session (see https://github.com/oauth2-proxy/oauth2-proxy/issues/978)
* Issue 978: Fix Custom cookie name breaks redis for session (see https://github.com/oauth2-proxy/oauth2-proxy/issues/978)
* Update CHANGELOG.md
* Issue 978: Fix Custom cookie name breaks redis for session
* Issue 978: Fix Custom cookie name breaks redis for session
* Issue 978: Fix Custom cookie name breaks redis for session
* Issue 978: Fix Custom cookie name breaks redis for session
* Issue 978: Fix Custom cookie name breaks redis for session
* Issue 978: Fix Custom cookie name breaks redis for session
* Update CHANGELOG.md
---------
Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Support http.AllowQuerySemicolons (#2248)
* Support http.AllowQuerySemicolons
* Docs
* Make it clear we are overriding the handler
* Update documentation for allow-query-semicolons
* Fix changelog format
* Fix formatting
---------
Co-authored-by: MickMake <github@mickmake.com>
* Add GitHub groups (orgs/teams) support
* align code of getTeams with getOrgs to support Github Enterprise Server instances with different domain
* add documentation
* fix changelog & documentation
* fix missing import
---------
Co-authored-by: Tobias Mayer <github@tobiasm.de>
Co-authored-by: Nuno Miguel Micaelo Borges <miguelborges99@gmail.com>
Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Tim White <tim.white@su.org.au>
Co-authored-by: MickMake <github@mickmake.com>
* add full support for all oidc config based providers to use and respect all configs set via OIDCConfig
* add changelog entry
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Support http.AllowQuerySemicolons
* Docs
* Make it clear we are overriding the handler
* Update documentation for allow-query-semicolons
* Fix changelog format
* Fix formatting
---------
Co-authored-by: MickMake <github@mickmake.com>
* The `X-Forwarded-Uri` was required to bypass authentication
- Fix the `skip_auth_routes` option not working in Nginx
* Add tests for allowed requests with proxied `X-Forwarded-Uri` header
* Avoid nginx startup failure: host not found in upstream "oauth2-proxy"
* The `--reverse-proxy` option is required for nginx
* Update the change logs
* Use the authOnlyPath constant
* Remove the unused header `X-Scheme`
* add azure china support
Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>
* update changelog
Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>
* fix lint
Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>
---------
Signed-off-by: Markus Blaschke <mblaschke82@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add support for unix socket as upstream
* Add CHANGELOG.md entry
* Add Unix socket documentation
* Don't export unixRoundTripper, switch from string prefix to Scheme match
* Add basic unix server mock
* Add some tests and comments
* adding append option for custom CA certs
* updated test for changed GetCertPool signature, added testing to check functionality of empty and non-empty store
* adding legacy options as well
* update associated documentation
* fixing code climate complaints - reduce number of return statements
* Apply suggestions from code review
Changes caFilesAppend (and variants) to useSystemTrustStore
Co-authored-by: Jan Larwig <jan@larwig.com>
* Apply suggestions from code review
Fixes extra whitespaces and grammar.
Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com>
* fix indentation
* update changelog
---------
Co-authored-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update changelog for v7.5.1 release
* Create versioned docs for release v7.5.x
Created using: yarn run docusaurus docs:version 7.5.x
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Validate jsonpath in claim extractor
Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>
* Add test and changelog for claim extractor json path
---------
Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Create session cookie when cookie-expire set 0
* Fix format
* add test
* fix lint error
* fix test code
* fix conflicted test case
* update test case of cookie expiration
* update tests of csrf cookies
* update docs
* Update docs/docs/configuration/overview.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
---------
Co-authored-by: tanuki884 <morkazuk@fsi.co.jp>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS
---------
Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
* Log the difference between invalid email and not authorized session
* Add changelog entry
* Remove superfluous argument
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Ensure sign-in page background is uniform throughout the page
Configured banners that take up large amounts of space leave a gap of blank
background between where the body ends and the footer starts. Fix this by
setting the style for the section containing the banner to match the body and
footer
* Add changelog entry
---------
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Fixes CVE-2022-41721 (#1994)
See: https://avd.aquasec.com/nvd/2022/cve-2022-41717/
* update checkout actions (#1981)
* Fix a typo in oauthproxy.go (#2021)
* fix typo (#2001)
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs
---------
Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Jeroen Landheer <jlandheer@bintelligence.nl>
Co-authored-by: Ryuichi Watanabe <ryucrosskey@gmail.com>
Co-authored-by: Ho Kim <ho.kim@ulagbulag.io>
Co-authored-by: Terrell Russell <terrellrussell@gmail.com>
* feat: readiness check
* fix: no need for query param
* docs: add a note
* chore: move the readyness check to its own endpoint
* docs(cr): add godoc
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix uninitialized user claim
Some providers doesn't initialize data with setProviderDefaults function
(keycloak-oidc for example), therefore UserClaim is never initialized
with the default value and stay as an empty string.
This result in an empty user.
* Add CHANGELOG.md entry for #1873
* Call setProviderDefaults where missing
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update go-redis/redis to v9.
- And updated redislock, testify, ginko and gomega have also been updated.
- Renamed the option `IdleTimeout` to `ConnMaxIdleTime` because of 517938a6b0/CHANGELOG.md
* Update CHANGELOG.md
* Dropping dot import of the types since they created aliases now
* fixing some error messages to make tests happy
* updating more error messages that were changed to make tests happy
* reverting error messages
Co-authored-by: Muhammad Arham <marham@i2cinc.com>
* Avoid Nextcloud "Current user is not logged in" (Statuscode 997)
The error message results from oauth2-proxy trying to pass the
access token via URL. Instead it needs to be sent via header,
thus the Nextcloud provider requires a fix similar to what #1502
did before for the keycloak provider.
* Implement EnrichSession() for Nextcloud provider
Parse nested JSON to transform relevant information (groups, id,
email) from the OAuth2 userinfo endpoint into session.
* Update CHANGELOG.md (add link to PR #1750)
* Add API route config
In addition to requests with Accept header `application/json` return 401 instead of 302 to login page on requests matching API paths regex.
* Update changelog
* Refactor
* Remove unnecessary comment
* Reorder checks
* Lint Api -> API
Co-authored-by: Sebastian Halder <sebastian.halder@boehringer-ingelheim.com>
* dynamically update the htpasswdMap based on the changes made to the htpasswd file
* added tests to validate that htpasswdMap is updated after the htpasswd file is changed
* refactored `htpasswd` and `watcher` to lower cognitive complexity
* returned errors and refactored tests
* added `CHANGELOG.md` entry for #1701 and fixed the codeclimate issue
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix lint issue from code suggestion
* Wrap htpasswd load and watch errors with context
* add the htpasswd wrapped error context to the test
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Inconsistent code-challenge-method CLI flag and config file naming
- Allow previous config option for now to prevent breaking configs
Fixes#1667
* Add changelog entry
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix vulnerabilities on crypto, net and sys packages and change go version on Docker builder stage
* Changelog related PR $1774
Co-authored-by: Felipe Bonvicini Conti <felipe.conti@totvs.com.br>
* adding IdleTimeout with the redis-connection-idle-timeout flag, to keep redis connections in valid state, when Redis option is set
* docs update - add redis idle timeout configurations
* changelog update for #1691 fix
* Unbreak oauth2-proxy for keycloak provider after 2c668a
With 2c668a, oauth2-proxy fails a request if the token validation fails.
Token validation always fails with the keycloak provider, due to the
valudation request passing the token via the URL, and keycloak not
parsing the url for tokens.
This is fixed by forcing the validation request to pass the token via a
header.
This code taken from the DigitalOcean provider, which presumably forcing
the token to be passed via header for the same reason.
Test plan: I was unable to build a docker image to test the fix, but I
believe it is relatively simple, and it passes the "looks good to me"
test plan.
* Add changelog entry for unbreak keycloak
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Josef Johansson
bjencks
Gavin Mogan
github-actions[bot]
Nuno Miguel Micaelo Borges
rd-danny-fleer
tuunit
Johann
Ian Roberts
priby05
Koen van Zuijlen
af su
Jacob Middag
Pierluigi Lenoci
Josef Johansson
Damien Degois
Ross Golder
Nils Gustav Stråbø
charvadzo
Jan Brezina
darh
Conrad Hoffmann
Tim White
Charley Wu
Markus Blaschke
emsixteeen
axel7083
Pierluigi Lenoci
vllvll
polarctos
Cory Bolar
Joseph Weigl
Jan Wystub
t-katsumura
Amr Hanafi
Ole-Martin Bratteng
Marc Schiereck
Kobi Meirson
Braunson M
Joel Speed
dulakm
Muhammad Arham
Centzilius
Adrian Aneci
Chris Bednarz
NiteHawk
Segfault16
tooptoop4
Ian Serpa
Alexandru Ciobanu
Chris Bednarz
Felipe B. Conti
Dmitry Kartsev
Chris
Alexandru Ciobanu
ckwalsh
adamsong