* update to release version v7.15.2
* doc: add changelog entry for v7.15.2
Signed-off-by: Jan Larwig <jan@larwig.com>
* fix(deps): override webpackbar to v7 for webpack 5.106.0 compatibility
As outlined in https://github.com/facebook/docusaurus/issues/11923
Signed-off-by: Jan Larwig <jan@larwig.com>
* chore: fix local test files for nginx setup
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: clear session cookie at beginning of signinpage handler
Co-authored-by: Christopher Schrewing <christopher.schrewing@weidmueller.com>
Signed-off-by: Michael Bella <michael.bella@weidmueller.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
* test: clear session cookie at beginning of signinpage handler
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: changelog entry for GHSA-f24x-5g9q-753f
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Michael Bella <michael.bella@weidmueller.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Christopher Schrewing <christopher.schrewing@weidmueller.com>
* fix: invalidate session on fatal OAuth2 refresh errors
When a token refresh fails with a fatal OAuth2 error (invalid_grant,
invalid_client), the session is now cleared from the session store
and the cookie is removed, forcing re-authentication.
Previously, fatal refresh errors were logged but the stale session
continued to be served, leaving users logged in indefinitely after
their session was revoked at the provider level.
Transient errors (network timeouts, server errors) continue to
preserve the existing session as before.
Fixes#1945
Signed-off-by: Francesco Pasqualini <frapas@gmail.com>
* fix: apply review nits and add CHANGELOG entry
Signed-off-by: Francesco Pasqualini <frapas@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Francesco Pasqualini <frapas@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
* update to release version v7.15.1
* doc: release notes for v7.15.1
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Propagate errors during route building
This fixes cases such as invalid paths being silently discarded after
creation by throwing a visible error in such cases.
Due to the way gorilla/mux's fluent API is designed, it is necessary to
manually call `.GetError()` to check for errors while building routes.
Signed-off-by: Simon Engmann <simon.engmann@sovity.de>
* Add test for route building error propagation
Signed-off-by: Simon Engmann <simon.engmann@sovity.de>
* Add route building error propagation to changelog
Signed-off-by: Simon Engmann <simon.engmann@sovity.de>
---------
Signed-off-by: Simon Engmann <simon.engmann@sovity.de>
Co-authored-by: Simon Engmann <simon.engmann@sovity.de>
* Improve logging for session refresh token status
Signed-off-by: Yosri Barhoumi <med.yosri.brh@gmail.com>
* doc: add changelog entry for #3327
Signed-off-by: Jan Larwig <jan@larwig.com>
* test: fix existing test cases for new behaviour
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Yosri Barhoumi <med.yosri.brh@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: handle Unix socket RemoteAddr in IP resolution
When oauth2-proxy listens on a Unix socket, Go sets RemoteAddr to "@"
instead of the usual "host:port" format. This caused net.SplitHostPort
to fail on every request, flooding logs with errors:
Error obtaining real IP for trusted IP list: unable to get ip and
port from http.RemoteAddr (@)
Fix by handling the "@" RemoteAddr at the source in getRemoteIP,
returning nil without error since Unix sockets have no meaningful
client IP. Also simplify the isTrustedIP guard and add a nil check
in GetClientString to prevent calling String() on nil net.IP.
Fixes#3373
Signed-off-by: h1net <ben@freshdevs.com>
* docs: add changelog entry and Unix socket trusted IPs documentation
Add changelog entry for #3374. Document that trusted IPs cannot match
against RemoteAddr for Unix socket listeners since Go sets it to "@",
and that IP-based trust still works via X-Forwarded-For with reverse-proxy.
Signed-off-by: Ben Newbery <ben.newbery@gmail.com>
Signed-off-by: h1net <ben@freshdevs.com>
* doc: fix changelog entry for #3374
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: add trusted ip a section to versioned docs as well
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: h1net <ben@freshdevs.com>
Signed-off-by: Ben Newbery <ben.newbery@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* add new docs version 7.15.x
* update to release version v7.15.0
* doc: changelog for v7.15.0 and extended docs for additional claims
* ci: fix trivy failure for release PR
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
fix: linter issues and set default unix socket permissions to 0660
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Tristan <tristan@mangadex.org>
* the attribute version is obsolete, it will be ignored, please remove it to avoid potential confusion
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* Add cookie-csrf-samesite option
Most of the code is copied form pull request #1947
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* Update CHANGELOG.md
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* Removed release information (review comment)
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* All cookie variables in a struct
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
* doc: add changelog entry for #3347
Signed-off-by: Jan Larwig <jan@larwig.com>
* revert: unnecessary removal of docker compose version
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: sort csrf flags
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Joost <439100+jvnoije@users.noreply.github.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: add --config-test flag for validating configuration without starting the proxy
Signed-off-by: MayorFaj <mayorfaj@gmail.com>
* doc: fix alpha config and add changelog entry for #3338
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: MayorFaj <mayorfaj@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: filter empty strings from allowed groups
When parsing allowed groups from configuration (e.g., via environment
variable OAUTH2_PROXY_ALLOWED_GROUPS), viper may include empty
strings in the parsed slice when trailing commas are present
(e.g., "group2," becomes ["group2", ""]).
The setAllowedGroups function now filters out empty strings before
adding them to the AllowedGroups map, ensuring that only valid group
names are checked during authorization.
Fixes#3123
Signed-off-by: Br1an67 <932039080@qq.com>
* refactor: minor change
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: add changelog entry for 3365
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Br1an67 <932039080@qq.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: add support for specifying allowed OIDC JWT signing algorithms (#2753)
TODO:
- [X] update docs
- [X] add support in yaml (modern) config
- [X] add more test(s)?
Add (legacy for now) configuration flag "oidc-enabled-signing-alg" (cfg:
oidc_enabled_signing_algs) that allows setting what signing algorithms
are specified by provider in JWT header ("alg" header claim).
In particular useful when skip_oidc_discovery = true, as verifier
defaults to only accept "RS256" in alg field in such circumstances.
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: update changelog and alpha config
Signed-off-by: Jan Larwig <jan@larwig.com>
* feat: add signing algorithm intersection handling with oidc discovery and additional tests
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: possibility to inject id_token in redirect url during sign out
Signed-off-by: Alban Fonrouge <alban.fonrouge@visma.com>
* doc: changelog for #3278
Signed-off-by: Jan Larwig <jan@larwig.com>
* test: fix assertion for TestIdTokenPlaceholderInSignOut
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Alban Fonrouge <alban.fonrouge@visma.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* feat: support additional claims
Signed-off-by: afsu <suaf2020@163.com>
Signed-off-by: af su <saf@zjuici.com>
* docs: clarify that AdditionalClaims may come from id_token or userinfo endpoint
Signed-off-by: afsu <suaf2020@163.com>
Signed-off-by: af su <saf@zjuici.com>
* feat: include AdditionalClaims in /oauth2/userinfo response (#834)
Signed-off-by: afsu <suaf2020@163.com>
Signed-off-by: af su <saf@zjuici.com>
* refactor: extract coerceClaim logic into util
Signed-off-by: afsu <suaf2020@163.com>
Signed-off-by: af su <saf@zjuici.com>
* doc: add changelog entry for #2685
Signed-off-by: Jan Larwig <jan@larwig.com>
* refactor: added more verbose comments to some struct fields and minor code cleanup
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: afsu <suaf2020@163.com>
Signed-off-by: af su <saf@zjuici.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: af su <saf@zjuici.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
Add statusRewrites (401 -> 302) to the ForwardAuth with Errors
middleware configuration and a troubleshooting note explaining that
without it, browsers may show a "Found." link instead of
auto-redirecting to the identity provider.
Fixes#3359
Signed-off-by: Nick Nikolakakis <nonicked@protonmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Ensure Windows binary has .exe extension
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: add changelog for #3332
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
The devcontainer was using Go 1.23 but go.mod requires Go 1.25.0.
This caused 'go mod tidy' to fail in the devcontainer environment.
Signed-off-by: Jan Larwig <jan@larwig.com>
* update to release version v7.14.2
* doc: changelog entry for v7.14.2
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: fix nginx example docker-compose
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* docs(nginx): Clarify auth_request redirect pattern with named location
Update the nginx integration documentation to recommend using a named location
(@oauth2_signin) for the error_page directive instead of the previous
'error_page 401 =403' approach.
The named location pattern ensures the browser receives a proper 302 redirect,
which is required for --skip-provider-button=true to work correctly.
The previous pattern (error_page 401 =403 /oauth2/sign_in) returned a 403
status with a Location header. Browsers do not auto-follow redirects on 403
responses, causing users to see a 'Found.' link instead of being automatically
redirected to the IdP.
Changes:
- Updated main nginx example to use @oauth2_signin named location
- Added 'Understanding the error_page redirect pattern' section
- Added warning about the limitations of 'error_page 401 =403'
- Updated local test environment (contrib/local-environment/nginx.conf)
Refs: #334
Signed-off-by: Stefan Markmann <stefan@markmann.net>
* docs: clarify browser vs API routes for nginx auth_request redirects
Add new "Browser vs API Routes" section explaining:
- Use 302 redirect to /oauth2/sign_in only for browser-facing routes
- Use 401/403 without redirect for API/machine clients
This ensures:
- Browsers get a redirect and smooth login flow
- API clients fail fast with appropriate HTTP status codes
- /oauth2/auth remains a pure boolean oracle (2xx/401)
Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
This reverts commit 9c61c49ec2.
The original fix broke nginx deployments using `auth_request`. When `/oauth2/auth` returns 302,
nginx's `auth_request` module treats this as an internal error:
[error] auth request unexpected status: 302 while sending to client
nginx then returns **500 Internal Server Error** to the browser.
> If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403,
> the access is denied with the corresponding error code. Any other response code returned by the
> subrequest is considered an error.
https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
The nginx `auth_request` module has strict semantics (non-negotiable):
| Subrequest status | nginx behavior |
|---|---|
| 2xx | Allow request |
| 401 / 403 | Deny → trigger `error_page` |
| **Any other status** | **Internal error → 500** |
The `/oauth2/auth` endpoint is used as a **policy oracle** (yes/no decision),
not as a browser-facing endpoint. It cannot return redirects.
Any nginx deployment with:
- `skip-provider-button=true`
- Using `auth_request` directive
Will receive 500 errors instead of the expected authentication flow.
The correct fix for #334 is a **documentation update**, not a code change:
```nginx
error_page 401 = @oauth2_signin;
location @oauth2_signin {
return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
}
```
This keeps `/oauth2/auth` as a pure 401/2xx oracle and lets nginx perform the proper 302 redirect to the browser.
- Original Issue: #334
- Regression introduced in PR: #3309
Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
github-actions[bot]
Jan Larwig
Francesco Pasqualini
Justus
Yosri Barhoumi
artificiosus
H1net
renovate[bot]
Joost
Mayowa Fajobi
Ganesh Jagadeesan
Br1an
andoks
Alban Fonrouge
af su
Nick Nikolakakis
Mridul
Francois Botha
Vivek S Sejpal
Joel Speed
Richard Hagen
Stefan Markmann