* add gitea to auth config docs

* PR feedback

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Replace configuration loading with Viper

* Add -user-id-claim to support other claims than email

Fix #431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".

- Add the option `user-id-claim` (defaults to email)
- OIDC extracts this claim into session.Email (to be renamed later)
- providers: add `CreateSessionStateFromBearerToken` with a default impl taken from
  `GetJwtSession` and overridden by oidc to respect `user-id-claim`

Once #466 is merged, I can continue to rename SessionState.Email to .UserID
and add HTTP headers with a corresponding name.

* Apply suggestions from code review

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Review feedback: Don't extract claims manually

Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.

* Fix indentation

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Make sure websockets respect ssl-upstream-insecure-skip-verify setting.

Signed-off-by: Yaroslav Rosomakho <yaroslavros@gmail.com>

* Updated changelog for websockets taking into account ssl-upstream-insecure-skip-verify

Signed-off-by: Yaroslav Rosomakho <yaroslavros@gmail.com>

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>

* Allow the OIDC issuer verification to be skipped if desired.

* Remove stale warning

* Add CHANGELOG entry

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
Co-authored-by: Dan Bond <pm@danbond.io>

Set-Basic-Auth should default to false

* add new linters and fix issues

* fix deprecated warnings

* simplify return

* update CHANGELOG

* fix staticcheck issues

* remove a deprecated linter, minor fixes of variable initialization

Warn users when session cookies are split

* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* feature: switch Azure AD graph API to Microsoft Graph API

* Update CHANGELOG

* Expand Breaking Changes notice

* Update CHANGELOG.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* fix: use constant http method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* addint redirect capability to sign_out

* updating changelog

* Add a new param to set the Authorization header to up-stream systems as Basic user:password

* Resolving code review

* mutual exclusiv changes for Basic and Bearer Authorization header

* Fixed the merge mixup and comment error

* Updated changelog and fixed typo

* Adding the new entry in changelog

Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>

* Prevent browser caching during auth flow

* simplify no-cache logic, add tests and update changelog

* checking noCacheHeaders does not exists in response headers from upstream

* remove unnecessary codes

* add no-cache headers in SignInPage and OAuthStart for proxy mode

https://github.com/oauth2-proxy/oauth2-proxy/pull/453#discussion_r405072222

* updated Okta docs and added localhost example

* add changelog entry

* added pull request # to changelog

Co-authored-by: tbox <tbox@redhat.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

when type asserting fails here, err is reassigned with nil and the
default block of the switch prints out <nil> in the error message. This
makes debugging a configuration or access token issue difficult

The particular error this surfaces is:

Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

Signed-off-by: Josh Bielick <jbielick@gmail.com>

* feature: Implement graceful shutdown

Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.

Added handling of Unix signals to http server.

Upgrade go-redis/redis to v7.

* Update dependencies

- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert

* add doc for  wrapper interface

* Update CHANGELOG.md

* fix: upgrade fsnotify to v1.4.9

* fix: remove unnessary logging

* fix: wait until  all connections have been closed

* refactor: move chan to main for testing

* add assert to check if stop chan is empty

* add an idiomatic for sync.WaitGroup with timeout

* allow html in banner message

* Fix changelog (move under new version)

* Add logging in case of invalid redirects

* update changelog

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* clarify the nginx auth_request_set/set problem with proxy_pass

* reworded/extended as result of review

Update ruby dependencies for documentation

Migrate to oauth2-proxy/oauth2-proxy

Update Changelog for Release 5.1.0

* fix: http.Cookie SameSite is not copied.

* Update CHANGELOG.md