* Fix WebSocket proxy to respect PassHostHeader setting
When PassHostHeader is set to false, the regular HTTP proxy correctly
sets the Host header to the upstream backend URL. However, the WebSocket
proxy was not respecting this setting, causing WebSocket connections to
fail when backend services validate the Host header.
This commit:
- Adds passHostHeader parameter to newWebSocketReverseProxy()
- Applies setProxyUpstreamHostHeader() when PassHostHeader=false
- Ensures consistent behavior between HTTP and WebSocket proxies
Fixes#3288
Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com>
* chore(): add tests, update changelog
Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com>
---------
Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com>
* docs: add Kubernetes Dashboard integration guide for Azure Entra ID
Add comprehensive documentation for integrating oauth2-proxy with
Kubernetes Dashboard on Azure Kubernetes Service (AKS) using Azure
Entra ID authentication.
Changes:
- Add new section "Kubernetes Dashboard on AKS" to ms_entra_id.md
with complete configuration examples including:
- Architecture overview and integration flow
- Alpha configuration for oauth2-proxy Helm chart
- Dashboard Ingress with proper auth annotations
- RBAC configuration (user-based and group-based)
- Troubleshooting guide for common issues
- Workload Identity (passwordless) setup
- Add reference link in integration.md pointing to the new section
for users looking for Kubernetes Dashboard integration examples
This addresses common issues users face when integrating Dashboard
with Entra ID, particularly:
- Missing Authorization header in auth-response-headers
- Insufficient buffer sizes for large Entra ID tokens
- RBAC permission configuration
- Group claims setup
Closes: oauth2-proxy/manifests#348
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
* docs: split integration.md into separate integration guides
Split the monolithic integration.md file into a structured integrations
directory with individual pages for each tool as requested by maintainer.
Changes:
- Create new docs/configuration/integrations/ directory structure
- Split content into separate files:
- nginx.md: Nginx auth_request directive configuration
- traefik.md: Traefik v2 ForwardAuth middleware setup
- caddy.md: Caddy v2 forward_auth directive configuration
- kubernetes-dashboard.md: K8s Dashboard integration (with deprecation notice)
- headlamp.md: Headlamp integration guide (recommended alternative)
- Transform integration.md into an index/overview page linking to all integrations
- Update docs/sidebars.js to use new Integration Guides category structure
The content has been preserved as-is from the original file, only
reorganized into separate files for better maintainability and
navigation. Added deprecation notice for Kubernetes Dashboard per
0ba796dce6
Addresses maintainer feedback from PR #3299
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
* fix: restore Kubernetes Dashboard tip box in nginx integration docs
Add back the tip box referencing the Kubernetes Dashboard Azure Entra ID
integration example that was present in the original integration.md file.
This ensures all content from the original file is preserved in the split
documentation structure.
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
* refactor: move Kubernetes Dashboard details to integration guide
Move the detailed Kubernetes Dashboard integration content from the
ms_entra_id provider documentation to the integrations section where
it logically belongs.
Changes:
- Move complete K8s Dashboard guide from ms_entra_id.md to
integrations/kubernetes-dashboard.md (architecture, configuration,
RBAC, troubleshooting, Workload Identity)
- Replace detailed section in ms_entra_id.md with brief reference
to integration guide
- Reorder sidebar: Headlamp before Kubernetes Dashboard
- Update integration.md index to show Headlamp first (recommended),
Dashboard last (deprecated)
This improves documentation organization by keeping integration guides
in the integrations/ directory and provider docs focused on provider
configuration.
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
* docs: move integration.md to integrations/index.md
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Fix session refresh handling in OIDC provider
- `s.Refreshed` was always `false` as the session object was not updated
- `ValidateURL` is, by default, not configured for OIDC providers. Access token validation now only happens when a validation endpoint is available.
Signed-off-by: Michael Gysel <michael.gysel@unblu.com>
* Update changelog
Signed-off-by: Michael Gysel <michael.gysel@unblu.com>
---------
Signed-off-by: Michael Gysel <michael.gysel@unblu.com>
* partly address #2120 and more aggressively truncate access_token
- leaking half of the access token to the logs seems problematic from
a security point of view
- also noisier than necessary logging
- fixed by truncating to at most first 5 chars (e.g. `ya29.`)
Signed-off-by: Martin Nowak <code@dawg.eu>
* feat: more aggressively truncate logged access_token; add unit test and changelog
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Martin Nowak <code@dawg.eu>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* docs: add Cisco Duo SSO provider documentation
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: backport to versioned docs 7.13 and fix alphabetical order of entries
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: improved clarity for the cisco duo configuration steps
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
remove color output in tests for better readability in github actions
bugfix: remove google as default provider for alpha options
fix conversion flow for toml to yaml
revert ginkgo color deactivation
revert claim- and secret source back to pointers
regenerate alpha config
Signed-off-by: Jan Larwig <jan@larwig.com>
* fix: NewRemoteKeySet is not using DefaultHTTPClient
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: add changelog entry
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: upstream licensing issue by adopting hmacauth library and changing asserting library for its test cases
Signed-off-by: Jan Larwig <jan@larwig.com>
* fix: golang code quality and linting issues for hmacauth
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
* add new docs version 7.13.x
* update to release version v7.13.0
* doc: add release notes v7.13.0
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Add check for constraints to the proxy endpoint
* Add tests for allowed_groups query string
* Add this feature to the changelog
* Apply suggestions from code review
Co-authored-by: Jan Larwig <jan@larwig.com>
* Use explicit key names in TestProxyAllowedGroups
* Document the query parameters on proxy endpoint
* Comment was copied from the AuthOnly handler but on closer inspection is not relevant here
replacing comment with one more relevant
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
Jan Larwig
Pascal
Pierluigi Lenoci
Michi Gysel
dawg
renovate[bot]
Drew Foehn
Shriya Kamat Tarcar
NirronCD
Raúl Sampedro
fossabot
github-actions[bot]
Jacob Alberty