* Remove shadowing of predeclared identifier: new.
* strings.ReplaceAll instead of strings.Replace with -1.
* Change strings.ToLower comparison to strings.EqualFold.
* Rewrite if-else-if-else chain as a switch.
alone
Previously some headers that are normally set by the proxy (and may be
replied upstream for authorization decisiions) were not being set
depending on values in the users sesssion.
This change ensure that if a given header is sometimes set, it will
always be either set or removed.
It might be worth considerating always deleting these headers if we
didn't add them.
* New flag "-ssl-upstream-insecure-skip-validation" to skip SSL validation for upstreams with self generated / invalid SSL certificates.
* Fix tests for modified NewReverseProxy method.
* Added change to the changelog.
* Remove duplicate entries from changelog.
- Add `ping-path` option to enable switching on and passing to `logger.go`
Default remains unchanged at: `"/ping"`
- Add note in configuration.md about silence flag taking precedence
Potential tests:
- `options.go` sets `logger.SetExcludePath` based on silence flag?
- Changing `PingPath` reflected in router?
* fixes deletion of splitted cookies
* three minor adjustments to improve the tests
* changed cookie name matching to regex
* Update oauthproxy.go
Co-Authored-By: einfachchr <einfachchr@gmail.com>
* removed unused variable
* Changelog
* Added conditional to prevent user-supplied redirect URL getting
clobbered
Change-type: patch
* use redirectURL as OAuthCallbackURL (as it should be!)
Change-type: patch
* Access token forwarding through nginx auth request
Related to #420.
(cherry picked from commit b138872bea)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>
* Improved documentation for auth request token
(cherry picked from commit 6fab314f72)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>
* Update README.md
Example should set header as `X-Access-Token`
Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>
* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68
* Fix Changelog message location
* Implemented flushing interval
When proxying streaming responses, it would not flush the response writer buffer until some seemingly random point (maybe the number of bytes?). This makes it flush every 1 second by default, but with a configurable interval.
* flushing CHANGELOG
* gofmt and goimports
- Save both user and email in session state:
Encoding/decoding methods save both email and user
field in session state, for use cases when User is not derived from
email's local-parth, like for GitHub provider.
For retrocompatibility, if no user is obtained by the provider,
(e.g. User is an empty string) the encoding/decoding methods fall back
to the previous behavior and use the email's local-part
Updated also related tests and added two more tests to show behavior
when session contains a non-empty user value.
- Added first basic GitHub provider tests
- Added GetUserName method to Provider interface
The new GetUserName method is intended to return the User
value when this is not the email's local-part.
Added also the default implementation to provider_default.go
- Added call to GetUserName in redeemCode
the new GetUserName method is used in redeemCode
to get SessionState User value.
For backward compatibility, if GetUserName error is
"not implemented", the error is ignored.
- Added GetUserName method and tests to github provider.
Since I'm no longer with 18F, I've re-released hmacauth under the ISC
license as opposed to the previous CC0 license. There have been no
changes to the hmacauth code itself, and all tests still pass.
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies
if the `__Host-` prefix is used
(https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2).
There's no need to set it to the host by default, so make it optional. If it is
set to a non-empty value, still output a warning if it is not a suffix of the
host, as that's likely not wanted.
Fixes#352.
This is useful in Nginx auth_request mode, if a 401 handler is
configured to redirect to the sign-in page. As the request URL
does not reflect the actual URL, the value is taken from the
header "X-Auth-Request-Redirect" instead. Based on #247
This is enhancement of #173 to use "Auth Request" consistently in
the command-line option, configuration file and response headers.
It always sets the X-Auth-Request-User response header and if the
email is available, sets X-Auth-Request-Email as well.
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
to control whether X-Forwarded-User and X-Forwarded-Email
headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
X-Forwarded-User is needed but HTTP BASIC auth fails
(password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility
[1] http://docs.grafana.org/installation/configuration/#authproxy
The path should be provided as a file:// url with the full operating system path.
An alias to where the directory is available as can be specified by appending
a fragment (ie. "#/static/") at the end of the URL.
* New SessionState to consolidate email, access token and refresh token
* split ServeHttp into individual methods
* log on session renewal
* log on access token refresh
* refactor cookie encription/decription and session state serialization
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
Christian Groschupp
Kirill Motkov
Ian Hunter
Adam Eijdenberg
ferhat elmas
jansinger
Karl Skewes
Joel Speed
Henry Jenkins
Henry Jenkins
Brian Van Klaveren
Adam Eijdenberg
timothy-spencer
Mister Wil
MisterWil
Costel Moraru
gyson
Patrick Koenig
einfachchr
Adam Szalkowski
dt-rush
David Holsgrove
Marcel Juhnke
Cosmin Cojocar
Steve Arch
Pierce Lopez
Carlo Lobrano
Mike Bland
Jehiah Czebotar
Alan Braithwaite
Reed Loden
idntfy
Sjoerd Mulder
Lukasz Siudut
Colin Arnott
Guillaume Bienkowski
Brian Dwyer
Omar Elazhary
Pranay Kanwar
Mike Bland
Reda Ahdjoudj
Brandon Philips
John Boxall
Jeppe Toustrup
Justin Burnham
mattk42
tonymeng