* WIP: support for workload identity

* WIP: bugfixes to support WI

* Added support for Workload Identity

* Added missing flag

* Refactoring and typo

* Updated CHANGELOG.md

* Updated docs

* Updated changelog

* Improved readability and fixed codeclimate issues

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Fixed if statement

* Apply suggestions from code review

Co-authored-by: Jan Larwig <jan@larwig.com>

* Cleanup

* Removed target principal

* Removed references to target principal

* Added docs

* Fixed header anchor linking

* Update auth.md

* Updated generated code

* Improved code

* Fixed tests

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Jan Larwig <jan@larwig.com>

Embed static stylesheets and dependencies

Embedding css and webfont dependencies allows the application to present
itself correctly in an environment that does not allow downloading the
files from a cdn.

Inspiration taken from #1492 but reworked to make use of embed.FS
simplifying the approach.

* Validate jsonpath in claim extractor

Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>

* Add test and changelog for claim extractor json path

---------

Signed-off-by: Joseph Weigl <joseph.weigl@audi.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

fix: use X-Forwarded-Uri if it exists for pathRegex match

the functions `isApiPath` and `isAllowedPath` use the `req.URL.Path` property which leads to faulty behavior when behind a reverse proxy. The correct path can be inferred from the `X-Forwarded-Uri` header by making use of the already provided `requestutil.GetRequestURI` function.

Co-authored-by: Jan Wystub <jan@bam-bam-bam.com>

Update setup-buildx-action to supported version

Minor - spelling typos in comment

Use fully qualified image names in the Dockerfile to simplify
usage with alternate container build tools, like buildah and podman

* Create session cookie when cookie-expire set 0

* Fix format

* add test

* fix lint error

* fix test code

* fix conflicted test case

* update test case of cookie expiration

* update tests of csrf cookies

* update docs

* Update docs/docs/configuration/overview.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

---------

Co-authored-by: tanuki884 <morkazuk@fsi.co.jp>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Project moved from Travis CI configuration e9d46bfe

* update: use go install in build step

go get was deprecated since https://go.dev/doc/go-get-install-deprecation

* Update installation.md

Update stale bot to v8

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

* Issue 2016: CVE-2022-41717: DoS in Go net/http may lead to DoS

---------

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>

* Update golang.org/x/net to v0.7.0 ato address GHSA-vvpx-j8f3-3w6h

Addresses https://github.com/advisories/GHSA-vvpx-j8f3-3w6h

Signed-off-by: Amr Hanafi (MAHDI)) <amrh@microsoft.com>

* Update CHANGELOG

---------

Signed-off-by: Amr Hanafi (MAHDI)) <amrh@microsoft.com>

* Log the difference between invalid email and not authorized session

* Add changelog entry

* Remove superfluous argument

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Added documentation for the keycloak-oidc provider in regard to the new Keycloak admin console "Admin2". As of v19.0.0 it is the default web console and OAuth2 proxy documentation has been updated to show end-users how to create a sample test Keycloak OIDC client to integrate with Oauth2 Proxy.

* Issue #1931
Added documentation for the keycloak-oidc provider in regard to the new Keycloak admin console "Admin2". As of v19.0.0 it is the default web console and OAuth2 proxy documentation has been updated to show end-users how to create a sample test Keycloak OIDC client to integrate with Oauth2 Proxy.
Added a link in the documentation to older keycloak-oidc pull request, as the provider currently evaluates aud from the access token and not the id token.

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Ensure sign-in page background is uniform throughout the page

Configured banners that take up large amounts of space leave a gap of blank
background between where the body ends and the footer starts.  Fix this by
setting the style for the section containing the banner to match the body and
footer

* Add changelog entry

---------

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Fixes CVE-2022-41721 (#1994)

See: https://avd.aquasec.com/nvd/2022/cve-2022-41717/

* update checkout actions (#1981)

* Fix a typo in oauthproxy.go (#2021)

* fix typo (#2001)

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

* Issue 1929: Oauth2-proxy v7.4.0 is not using alpine:3.16 as it is written in code & updates versions due to fixed CVEs

---------

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Jeroen Landheer <jlandheer@bintelligence.nl>
Co-authored-by: Ryuichi Watanabe <ryucrosskey@gmail.com>
Co-authored-by: Ho Kim <ho.kim@ulagbulag.io>
Co-authored-by: Terrell Russell <terrellrussell@gmail.com>

See: https://avd.aquasec.com/nvd/2022/cve-2022-41717/

* Issue 1878: Validate URL call does not correctly honor already set URL parameters

* Issue 1878: Validate URL call does not correctly honor already set URL parameters

* Update CHANGELOG.md

---------

Co-authored-by: Nuno Borges <Nuno.Borges@ctw.bmwgroup.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Fill empty UserIDClaim before assigning it to other values

Changes `checkout` version to `v3`

* feat: readiness check

* fix: no need for query param

* docs: add a note

* chore: move the readyness check to its own endpoint

* docs(cr): add godoc

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix default scope settings for none oidc providers

* add changelog for bugfix

* fix scope test cases by producing and accessing correct result value