* extract email from id_token for azure provider
this change fixes a bug when --resource is specified with non-Graph
api and the access token destined to --resource is used to call Graph
api
* fixed typo
* refactor GetEmailAddress to EnrichSessionState
* make getting email from idtoken best effort and fall back to previous behavior when it's absent
* refactor to use jwt package to extract claims
* fix lint
* refactor unit tests to use test table
refactor the get email logic from profile api
* addressing feedback
* added oidc verifier to azure provider and extract email from id_token if present
* fix lint and codeclimate
* refactor to use oidc verifier to verify id_token if oidc is configured
* fixed UT
* addressed comments
* minor refactor
* addressed feedback
* extract email from id_token first and fallback to access token
* fallback to access token as well when id_token doesn't have email claim
* address feedbacks
* updated change log!
* Use a specialized ResponseWriter in middleware
* Track User & Upstream in RequestScope
* Wrap responses in our custom ResponseWriter
* Add tests for logging middleware
* Inject upstream metadata into request scope
* Use custom ResponseWriter only in logging middleware
* Assume RequestScope is never nil
This includes a fix for our samesite cookie parsing. The behaviour
changed in 1.16 so that the default value now leaves it empty, so it's
equivalent to not setting it (as per spec)
* GH-1015 Adds support for Traefik to OauthStart on '/oauth2/auth' endpoint
* Fix incorrect reference to signout path and point to signin path
- remove commented out alternative solutions and debug log statements
* Remove skip provider button check as SignIn method already does this
* Updated traefik example to match existing file configuration reference, updated tests
* Update doc and refactor nested conditional statements
* Revert code changes as static upstream provides the same functionality
- Add doc on using static upstream with Traefik ForwardAuth middleware
* update changelog
* Move the doc changes to 7.0.x versioned docs
* Re-add traefik docs update in the main docs overview.md
* add missing oauth2-proxy routing
Co-authored-by: Praveen Chinthala <PraveenChinthala@hollandandbarrett.com>
Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.
Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy
Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
* Use comma separated value for multiple claims
* Fix lint error
* Fix more tests
* Fix one more test
* Always flatten the headers
* Ensure we test the real multi-groups
* Only update map when necessary
* Update CHANGELOG
* Move to the right location of change log
* Fix blank line
* Add sensible logging flag to default setup for logger
* Use logger instead of fmt for info logging with sensible data
* Remove sensible logging flag
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* properly handle splitted cookies with names ending with _
* test update
* provide cookieName into joinCookies instead of processing the suffix
* changelog update
* test update
* Add support for gitlab projets
* Add group membership in state
* Use prefixed allowed groups everywhere
* Fix: remove unused function
* Fix: rename func that add data to session
* Simplify projects and groups session funcs
* Add project access level for gitlab projects
* Fix: default access level
* Add per project access level
* Add user email when missing access level
* Fix: harmonize errors
* Update docs and flags description for gitlab project
* Add test with both projects and groups
* Fix: log error message
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix: make doc a markdown link
* Add notes about read_api scope for projects
* Fix: Verifier override in Gitlab Provider
This commit fixes a bug caused by an override of the Verifier value from *ProviderData inside GitlabProvider struct
* Fix: ensure data in session before using it
* Update providers/gitlab.go
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Rename gitlab project initializer
* Improve return value readbility
* Use splitN
* Handle space delimiters in set project scope
* Reword comment for AddProjects
* Fix: typo
* Rework error handling in addProjectsToSession
* Reduce branching complexity in addProjectsToSession
* Fix: line returns
* Better comment for addProjectsToSession
* Fix: enrich session comment
* Fix: email domains is handled before provider mechanism
* Add archived project unit test
* Fix: emails handling in gitlab provider
Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Support TLS 1.3
* Set TLS 1.3 explicitly to fix gosec warning.
* Add an entry to changelog.
* Fix typo in the changelog.
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Implement azure token refresh
Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278
* Update CHANGELOG.md
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Set CreatedAt to Now() on token refresh
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Allow complex structure for groups in group claim.
* Remove unused constant
* Update variable name
* Fix linting
* Use helper method
* Log error if not possible to append group value
* Add missing import
* Use own logger
* Fix imports
* Remove Dockerfile for testing
* Add Changelog entry
* Use formatGroup helper method and update tests
* Return string instead of string array
* Remove groups variable
* Return error in format method.
* Reorder imports
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* simplify github actions workflow
no more GOPATH, update Go to 1.15.x
* add script to install golangci-lint
* drop support for Go 1.14
* check docker build in ci
* update alpine linux to 3.12
* update CHANGELOG
* fix golangci-lint installation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* update go-redis/redis to v8
testify, ginko and gomega have also been updated.
* update changelog
* Update pkg/sessions/redis/redis_store_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* ci: migrate to Github Actions
* ci: optimize on feedback
* ci: run gocov in correct dir
* ci: running after-build script always
* ci: giving test script execute permission
* ci: correct error handling on test script
* ci: more verbose test script
* ci: configure CC_TEST_REPORTER_ID env
* ci: check existence of CC_TEST_REPORT_ID variable, skip if unset
* ci: check existence of CC_TEST_REPORT_ID variable, skip if unset
* update changelog
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This reverts to functionality before #499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before #499.
* Centralize Ticket management of persistent stores
persistence package with Manager & Ticket will handle
all the details about keys, secrets, ticket into cookies,
etc. Persistent stores just need to pass Save, Load &
Clear function handles to the persistent manager now.
* Shift to persistence.Manager wrapping a persistence.Store
* Break up the Redis client builder logic
* Move error messages to Store from Manager
* Convert ticket to private for Manager use only
* Add persistence Manager & ticket tests
* Make a custom MockStore that handles time FastForwards
* Strip X-Forwarded auth headers from whitelisted paths
For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).
Only x-Forwarded headers stripped, left the Authorization header
untouched.
* Strip authorization header if it would be set
* Improve TestStripAuthHeaders test table
* Improve --skip-auth-strip-headers flag documentation
* Encode sessions with MsgPack + LZ4
Assumes ciphers are now mandatory per #414. Cookie & Redis sessions
can fallback to V5 style JSON in error cases. TODO: session_state.go
unit tests & new unit tests for Legacy fallback scenarios.
* Only compress encoded sessions with Cookie Store
* Cleanup msgpack + lz4 error handling
* Change NewBase64Cipher to take in an existing Cipher
* Add msgpack & lz4 session state tests
* Add required options for oauthproxy tests
More aggressively assert.NoError on all
validation.Validate(opts) calls to enforce legal
options in all our tests.
Add additional NoError checks wherever error return
values were ignored.
* Remove support for uncompressed session state fields
* Improve error verbosity & add session state tests
* Ensure all marshalled sessions are valid
Invalid CFB decryptions can result in garbage data
that 1/100 times might cause message pack unmarshal
to not fail and instead return an empty session.
This adds more rigor to make sure legacy sessions
cause appropriate errors.
* Add tests for legacy V5 session decoding
Refactor common legacy JSON test cases to a
legacy helpers area under session store tests.
* Make ValidateSession a struct method & add CHANGELOG entry
* Improve SessionState error & comments verbosity
* Move legacy session test helpers to sessions pkg
Placing these helpers under the sessions pkg removed
all the circular import uses in housing it under the
session store area.
* Improve SignatureAuthenticator test helper formatting
* Make redis.legacyV5DecodeSession internal
* Make LegacyV5TestCase test table public for linter
Weinong Wang
Joel Speed
Nick Meves
Stefan Sedich
Praveen Chinthala
Sean Jones
Nishanth Reddy
Lida Li
Kevin Kreitner
Nikolai Prokoschenko
Ilia Pertsev
İlteriş Eroğlu
Mathieu Lecarme
Akira Ajisaka
Arcadiy Ivanov
ofir-amir
Alexander Block
Kevin Kreitner
Mitsuo Heijo
Shinebayar G
Thiago Caiubi
Lennart Jern
Dan Bond
Phil Taprogge
Andy Voltz