bc4d5941fc
Remove duplicated logic
2019-01-30 17:30:48 +00:00
2a1691a994
Add whitelist domains flag
2019-01-30 17:30:40 +00:00
090ff11923
redirect to original path after login ( #24 )
...
* redirect to original path after login
* tests for new redirect behaviour
* fixed comment
* added redirect fix to changelog
2019-01-29 12:13:02 +00:00
714e2bdfba
Fix cookie split should account for cookie name
2019-01-22 11:34:55 +00:00
d4b588dbe9
Split large cookies
2019-01-22 11:34:54 +00:00
68d4164897
Add Authorization header flags
2019-01-22 11:34:23 +00:00
d37cc2889e
Fix err declaration shadowing
2018-12-20 10:46:19 +00:00
ee913fb788
Add comments to exported methods for root package
2018-12-20 09:30:42 +00:00
8ee802d4e5
Lint for non-comment linter errors
2018-11-29 14:26:41 +00:00
847cf25228
Move imports from bitly to pusher
2018-11-27 11:45:05 +00:00
74d0fbc868
more robust ClearSessionCookie()
...
default domain changed from request Host to blank, recently
try to clear cookies for both
2017-12-18 21:16:51 -05:00
731fa9f8e0
Github provider: use login as user
...
- Save both user and email in session state:
Encoding/decoding methods save both email and user
field in session state, for use cases when User is not derived from
email's local-parth, like for GitHub provider.
For retrocompatibility, if no user is obtained by the provider,
(e.g. User is an empty string) the encoding/decoding methods fall back
to the previous behavior and use the email's local-part
Updated also related tests and added two more tests to show behavior
when session contains a non-empty user value.
- Added first basic GitHub provider tests
- Added GetUserName method to Provider interface
The new GetUserName method is intended to return the User
value when this is not the email's local-part.
Added also the default implementation to provider_default.go
- Added call to GetUserName in redeemCode
the new GetUserName method is used in redeemCode
to get SessionState User value.
For backward compatibility, if GetUserName error is
"not implemented", the error is ignored.
- Added GetUserName method and tests to github provider.
2017-11-20 20:02:27 +01:00
e241fe86d3
Switch from 18F/hmacauth to mbland/hmacauth
...
Since I'm no longer with 18F, I've re-released hmacauth under the ISC
license as opposed to the previous CC0 license. There have been no
changes to the hmacauth code itself, and all tests still pass.
2017-11-07 07:55:24 -05:00
bfda078caa
Merge pull request #376 from reedloden/make-cookie-domain-optional
...
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
2017-10-23 14:14:45 -04:00
b640a69d63
oauthproxy: fix #284 -skip-provider-button for /sign_in route
2017-06-21 15:05:36 -07:00
b6bd878f27
Don't set the cookie domain to the host by default, as it breaks Cookie Prefixes
...
The Cookie Prefixes spec disallows the use of the `domain` attribute in cookies
if the `__Host-` prefix is used
(https://tools.ietf.org/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2 ).
There's no need to set it to the host by default, so make it optional. If it is
set to a non-empty value, still output a warning if it is not a suffix of the
host, as that's likely not wanted.
Fixes #352 .
2017-04-24 13:03:40 -07:00
1e7d2a08a3
#369 : Optionally allow skipping authentication for preflight requests
2017-04-07 15:01:47 +03:00
90a22b2f39
Use X-Auth-Request-Redirect request header in sign-in page
...
This is useful in Nginx auth_request mode, if a 401 handler is
configured to redirect to the sign-in page. As the request URL
does not reflect the actual URL, the value is taken from the
header "X-Auth-Request-Redirect" instead. Based on #247
2017-03-29 21:28:55 +05:30
829b442302
add --set-xauthrequest flag for use in Nginx auth_request mode
...
This is enhancement of #173 to use "Auth Request" consistently in
the command-line option, configuration file and response headers.
It always sets the X-Auth-Request-User response header and if the
email is available, sets X-Auth-Request-Email as well.
2017-03-29 21:28:55 +05:30
c5fc7baa86
gofmt
2017-03-29 09:36:38 -04:00
55085d9697
csrf protection; always set state
2017-03-29 09:31:10 -04:00
6c690b699b
Merge pull request #339 from omazhary/issue-205
...
Allow to pass user headers only
2017-03-28 21:42:29 -04:00
107b4811b4
Merge pull request #346 from bdwyertech/patch-1
...
Oversize Cookie Alert
2017-03-28 21:40:11 -04:00
289a6ccf46
add check for //.* to prevent open redirect during oauth
2017-03-28 21:12:33 -04:00
562cc2e466
[signout] Implement logout endpoint
2017-03-21 17:40:47 +01:00
3379e05fec
Oversize Cookie Alert
...
Cookies cannot be larger than 4kb
2017-02-23 18:48:34 -05:00
24f91a0b60
Allow to pass user headers only (issue #205 )
...
* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
to control whether X-Forwarded-User and X-Forwarded-Email
headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
X-Forwarded-User is needed but HTTP BASIC auth fails
(password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility
[1] http://docs.grafana.org/installation/configuration/#authproxy
2017-01-24 11:11:58 +01:00
cdebfd6436
base64 cookie support
2016-06-20 07:45:43 -04:00
57f82ed71e
Custom footer text (optional)
...
Closes #256 and #166
2016-06-18 23:54:32 -04:00
168cff9d4b
Merge pull request #161 from rahdjoudj/master
...
adding option to skip provider button sign_in page
2016-06-18 23:31:39 -04:00
f957a1e435
Validate state param while redirecting
2016-01-19 13:14:16 +05:30
e4626c1360
Sign Upstream requests with HMAC. closes #147
2015-11-15 22:09:30 -05:00
35547a40cb
adding option to skip provider button sign_in page
2015-11-11 11:42:35 +11:00
462f6d03d2
Extract Authenticate for Proxy, AuthenticateOnly
2015-11-09 10:32:16 -05:00
e61fc9e7a6
Add /auth endpoint to support Nginx's auth_request
...
Closes #152 .
2015-11-09 10:31:41 -05:00
6db18804f3
*: rename Oauth to OAuth
...
Be consistent with Go capitalization styling and use a single way of
spelling this across the tree.
2015-11-09 00:57:01 +01:00
1ff2fce25b
oauthproxy: rename Uri to URI
...
Be consistent with Go coding style for acroynyms.
2015-11-09 00:50:42 +01:00
51a2e4e48c
*: rename Url to URL everywhere
...
Go coding style says that acronyms should be all lower or all upper. Fix
Url to URL.
2015-11-09 00:47:44 +01:00
a653c3eeeb
Pass `ProxyPrefix` into the error template.
...
The default `error.html` uses `ProxyPrefix` but it isn't supplied in the context, causing it to error.
2015-10-03 15:59:47 -07:00
ffeccfe552
Add support for serving static files from a directory
...
The path should be provided as a file:// url with the full operating system path.
An alias to where the directory is available as can be specified by appending
a fragment (ie. "#/static/") at the end of the URL.
2015-09-24 15:37:45 +02:00
3fd8f911c2
google: Support restricting access to a specific group(s)
2015-09-09 02:10:32 -07:00
7dd5d299e1
Add support for setting the basic auth password.
...
For tools that don't like empty passwords, this change allows
one to set a shared secret password for all users.
2015-07-24 09:17:43 +00:00
6cd3e72e09
Check email validity on all requests rather than only on login/refresh
2015-07-14 08:40:59 -06:00
d49c3e167f
SessionState refactoring; improve token renewal and cookie refresh
...
* New SessionState to consolidate email, access token and refresh token
* split ServeHttp into individual methods
* log on session renewal
* log on access token refresh
* refactor cookie encription/decription and session state serialization
2015-07-02 23:09:11 -04:00
8d50b372e4
immediately redeem refresh token for provider==Google
2015-06-23 13:56:14 -04:00
e9b5631eed
cookie refresh: validation fixes, interval changes
...
* refresh now calculated as duration from cookie set
2015-06-23 07:51:00 -04:00
d78aa13464
v2.0 & cleanup changes
...
* bump version to 2.0
* remove --cookie-https-only option
* add windows build to dist.sh
* rename --cookie-key to --cookie-name
2015-06-12 13:07:26 -04:00
f5b2b20f67
support TLS directly
2015-06-07 23:14:48 -04:00
f5db2e1ff7
More complete HTTP error logging
2015-06-07 21:03:53 -04:00
56d19b1c84
disable email validation; rename email-domain argument
...
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
2015-06-06 14:37:54 -04:00
c5ccd43767
Enable specific oauth2proxy path; change cookie name to _oauth2proxy
2015-06-06 14:21:42 -04:00
b96a078839
Project Rename -> oauth2_proxy
2015-05-21 02:55:04 -04:00
37b38dd2f4
Github provider
2015-05-21 02:21:19 -04:00
8471f972e1
Move ValidateToken() to Provider
2015-05-21 02:06:23 -04:00
9047920e90
Merge pull request #88 from 18F/auto-refresh
...
Auto refresh auth token
2015-05-11 22:24:50 -04:00
5b07d9fcef
Provide a robots.txt that denies all crawlers
2015-05-10 15:15:52 -04:00
37f287bef4
Calculate cookie expiration from encoded timestamp
...
Found out the hard way that _incoming_ cookies do _not_ have their expiration
timestamps encoded. To perform auto-refresh based on expiration time, we have
to recalculate it from the time encoded in the cookie value.
2015-05-10 00:11:26 -04:00
8ec967ac32
Check cookie_secret size when cookie_refresh set
2015-05-09 17:37:33 -04:00
84190ab19a
Validate user during cookie refresh
2015-05-09 16:54:27 -04:00
610341a068
Make ProcessCookie() fail when cookie parse fails
2015-05-09 16:54:27 -04:00
bd4eae8fec
Store access token when cookie-refresh is set
...
cookie-refresh now no longer requires pass-access-token in order to work.
2015-05-09 16:54:27 -04:00
b6e07d51b2
Validate access_token when auto-refreshing cookie
2015-05-09 15:09:31 -04:00
25372567ac
ValidateToken() to check access_token validity
2015-05-09 13:17:37 -04:00
72857018ee
Introduce `validate-url` flag/config
2015-05-08 17:13:35 -04:00
8e2d83600c
Implement cookie auto-refresh
...
The intention is to refresh the cookie whenever the user accesses an
authenticated service with less than `cookie-refresh` time to go before the
cookie expires.
2015-05-08 14:05:09 -04:00
f554f99abd
Ensure all errors are logged in ProcessCookie()
2015-05-08 14:05:09 -04:00
beed9fb9a2
Extract MakeCookie()
2015-05-08 14:05:09 -04:00
1bd90cefe7
Extract ProcessCookie() from ServeHTTP()
2015-05-08 12:41:22 -04:00
9887ac3be5
Refactor cookie building and parsing
...
Extracts buildCookieValue() and parseCookieValue() from OauthProxy.ServeHTTP()
and adds tests for both.
2015-04-07 05:53:41 -04:00
cf79fd9e4c
Refactor pass_access_token+cookie_secret check
...
Moves the check from NewOauthProxy() to Options.Validate() and adds a test.
2015-04-07 05:53:40 -04:00
5f747bb768
Redirect to / when /oauth2/sign_in accessed
...
Without this change, clicking the sign-in button on /oauth2/sign_in will
always redirect back to /oauth2/sign_in, essentially creating an infinite
loop.
2015-04-06 22:10:03 -04:00
ad3c9a886f
Pass the access token to the upstream client
...
This is accomplished by encoding the access_token in the auth cookie and
unpacking it as the X-Forwarded-Access-Token header for upstream requests.
2015-04-03 15:32:01 -04:00
666e6ad436
Add ProviderName field; use in sign_in template
2015-03-31 12:59:07 -04:00
d9a945ebc3
Integrate Provider into Options and OauthProxy
2015-03-31 09:34:50 -04:00
45286af4a4
s/18F/bitly/ in import path
2015-03-30 11:42:37 -04:00
9d8f932797
Extract api package
...
This is the first step towards genericizing the google_auth_proxy to support
OAuth2 providers other than Google as discussed in #65 . The `api` package will
enable multiple providers to use the same `api.Request()` implementation.
2015-03-30 10:23:30 -04:00
16f2c981f3
fix upstream request path
2015-03-21 15:29:07 -04:00
b9b5e817fc
improve request logging (closer to Apache Common Log)
2015-03-19 22:34:01 -04:00
07c74f55c6
improve handling of cookie domains
2015-03-19 16:18:02 -04:00
de04e0c519
rename cookie secure flag
2015-03-19 14:08:17 -04:00
ebae065b11
make redirect_uri optional
2015-03-19 14:03:05 -04:00
71ae70834d
pass raw unencoded request URI upstream
2015-03-19 13:18:49 -04:00
2b2324e410
support (optional) custom templates
2015-03-17 18:11:58 -04:00
263e16eeea
add --proxy-host-header option
2015-03-17 15:53:01 -04:00
24ef555547
Requests are proxied to the Host specified by the target.
2015-03-17 15:04:27 -04:00
20a152261c
Adds failing test for using upstream Host header.
2015-03-17 15:04:27 -04:00
601ae6f4ec
Merge pull request #60 from tomtaylor/gofmt-fixes
...
Run gofmt over source
2015-01-19 12:48:57 -05:00
5201f26ffc
Run gofmt over source.
2015-01-19 16:10:37 +00:00
132e3d91d6
Add flag to enable/disable cookie's HttpOnly flag.
2015-01-19 16:00:49 +00:00
c4d25d271f
Adding Support for multi white listed urls with regex url match.
2015-01-12 14:48:41 +05:30
69804e588a
Allow hiding custom login UI even if an htpasswd file is provided.
2014-12-09 14:38:57 -06:00
1f515eba3c
options bug fixes; set https cookies on by default
2014-11-09 22:21:46 -05:00
a49eadadeb
template updates to display version
2014-11-09 22:01:50 -05:00
9060feb436
better environment parsing
2014-11-09 21:12:36 -05:00
d4fe9a4f57
Add config file support
2014-11-09 20:33:12 -05:00
bc26835076
always set httponly (there is no good reason not to); simplify httponly and expire flags
2014-11-08 14:32:35 -05:00
6cdf05e7f2
Added cookie settings
2014-11-08 13:35:45 -05:00
23a89b06de
Merge pull request #22 from dbrgn/empty_upstream_path
...
Handle upstreams without a trailing slash
2014-11-08 19:17:44 +01:00
ec9c11ed28
Pass in the original email address too as X-Forwarded-Email.
2014-11-08 07:33:14 -08:00
1e29aa1c12
Make /ping endpoint respond with "OK"
2014-10-14 17:05:59 -04:00
8702ad2e52
Add /ping endpoint
2014-10-14 16:22:38 -04:00
98fb800de4
update to new scopes
2014-08-07 20:49:28 +00:00
b3bbc3ca20
Handle upstreams without a trailing slash
2014-07-08 15:06:41 +02:00
cfe186d6cb
Fixed wrong error message
2014-07-08 14:07:07 +02:00
11ce460209
Updated redirect arg handling to only happen when needed.
2013-10-24 17:40:29 +00:00
d2b1815d43
After authentication, redirect to original URI.
2013-10-23 20:29:39 +00:00
c97de52200
handle sign in directly (if using htpasswd)
2012-12-26 18:26:03 +00:00
4367e47a46
don't promote htpasswd auth; auth directly
2012-12-26 16:55:20 +00:00
c459806ab0
promote basic auth to cookie
2012-12-26 10:35:02 -05:00
42f539109e
testing
2012-12-17 13:38:33 -05:00
42359333b2
cleanup error handling
2012-12-17 13:15:23 -05:00
fb636396a3
initial code import
2012-12-10 20:59:23 -05:00
Joel Speed
Steve Arch
Pierce Lopez
Carlo Lobrano
Mike Bland
Jehiah Czebotar
Alan Braithwaite
Reed Loden
idntfy
Sjoerd Mulder
Lukasz Siudut
Colin Arnott
Guillaume Bienkowski
Brian Dwyer
Omar Elazhary
Pranay Kanwar
Mike Bland
Reda Ahdjoudj
Brandon Philips
John Boxall
Jeppe Toustrup
Justin Burnham
mattk42
tonymeng
Tom Taylor
vishnu chilamakuru
drew
Igor Dolgiy
Roger Hu
Jason Swank
Danilo Bargen
Sean O'Connor