- Apr 10, 2019
-
-
Costel Moraru authored
-
Costel Moraru authored
-
Costel Moraru authored
-
- Mar 27, 2019
-
-
Joel Speed authored
added an option to enable GCP healthcheck endpoints
-
Joel Speed authored
fixes typo
-
- Mar 26, 2019
-
-
timothy-spencer authored
-
daB0bby authored
-
timothy-spencer authored
-
timothy-spencer authored
-
timothy-spencer authored
-
timothy-spencer authored
-
timothy-spencer authored
-
Tim Spencer authored
-
timothy-spencer authored
-
- Mar 25, 2019
-
-
Joel Speed authored
Improve websocket support
-
- Mar 23, 2019
- Mar 21, 2019
-
-
timothy-spencer authored
-
timothy-spencer authored
-
timothy-spencer authored
-
Joel Speed authored
Set redirect URL path when host is present
-
Patrick Koenig authored
-
- Mar 20, 2019
-
-
YAEGASHI Takeshi authored
* Use encoding/json for SessionState serialization In order to make it easier to extend in future. * Store only email and user in cookie when cipher is unavailable This improves safety and robustness, and also preserves the existing behaviour. * Add TestEncodeSessionState/TestDecodeSessionState Use the test vectors with JSON encoding just introduced. * Support session state encoding in older versions * Add test cases for legacy session state strings * Add check for wrong expiration time in session state strings * Avoid exposing time.Time zero value when encoding session state string * Update CHANGELOG.md
-
Berjou authored
This commit fix the issue #98
-
Tim Spencer authored
* first stab at login.gov provider * fixing bugs now that I think I understand things better * fixing up dependencies * remove some debug stuff * Fixing all dependencies to point at my fork * forgot to hit save on the github rehome here * adding options for setting keys and so on, use JWT workflow instead of PKCE * forgot comma * was too aggressive with search/replace * need JWTKey to be byte array * removed custom refresh stuff * do our own custom jwt claim and store it in the normal session store * golang json types are strange * I have much to learn about golang * fix time and signing key * add http lib * fixed claims up since we don't need custom claims * add libs * forgot ioutil * forgot ioutil * moved back to pusher location * changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov * update dependencies * do JWTs properly * finished oidc flow, fixed up tests to work better * updated comments, added test that we set expiresOn properly * got confused with header and post vs get * clean up debug and test dir * add login.gov to README, remove references to my repo * forgot to remove un-needed code * can use sample_key* instead of generating your own * updated changelog * apparently golint wants comments like this * linter wants non-standard libs in a separate grouping * Update options.go Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov> * Update options.go Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov> * remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback * github doesn't seem to do gofmt when merging. :-) * update CODEOWNERS * check the nonce * validate the JWT fully * forgot to add pubjwk-url to README * unexport the struct * fix up the err masking that travis found * update nonce comment by request of @JoelSpeed * argh. Thought I'd formatted the merge properly, but apparently not. * fixed test to not fail if the query time was greater than zero
-
- Mar 15, 2019
-
-
einfachchr authored
* fixes deletion of splitted cookies * three minor adjustments to improve the tests * changed cookie name matching to regex * Update oauthproxy.go Co-Authored-By: einfachchr <einfachchr@gmail.com> * removed unused variable * Changelog
-
- Mar 13, 2019
-
-
Joel Speed authored
Revert OAuthCallbackPath
-
Joel Speed authored
-
- Mar 11, 2019
-
-
Joel Speed authored
Merge websocket proxy feature from openshift/oauth-proxy
-
Adam Szalkowski authored
Merge websocket proxy feature from openshift/oauth-proxy. Original author: Hiram Chirino <hiram@hiramchirino.com>
-
- Mar 08, 2019
-
-
Joel Speed authored
Fall back to using OIDC Subject instead of Email
-
Aigars Mahinovs authored
-
Aigars Mahinovs authored
Email is not mandatory field, Subject is mandatory and expected to be unique. Might want to take a look at UserInfo first, however. Issue: #56
-
- Mar 06, 2019
-
-
Joel Speed authored
Use non-root user in docker images
-
Joel Speed authored
Co-Authored-By: kskewes <karl.skewes@gmail.com>
-
- Mar 05, 2019
-
-
dt-rush authored
* Added conditional to prevent user-supplied redirect URL getting clobbered Change-type: patch * use redirectURL as OAuthCallbackURL (as it should be!) Change-type: patch
-
Ben authored
Type: docs I simply added the word health check. I was searching all over the package for a health check, to only realise that it had been called ping. I think the small addition might help others avoid my troubles.
-
Gabor Lekeny authored
-
Karl Skewes authored
Run as non-root user and group In the unlikely event that you are currently persisting data to disk then this change may break file read/write access due to a change in the UID/GID that the oauth2_proxy process runs as. Run as non-root system user and group `oauth2proxy` with UID/GID `2000` to avoid clashing with typical local users. An alternative to creating a separate user is to ~~chown binary and~~ run as `USER nobody`, which also works, can amend this PR if required. Least access privileges. Close: https://github.com/pusher/oauth2_proxy/issues/78 Locally with Docker (`-version`): ``` $ ps aux | grep oauth2 2000 25192 6.0 0.0 0 0 ? Ds 15:53 0:00 [oauth2_proxy] ``` Running in Kubernetes 1.13 with the following also specified: ``` securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 10001 ``` ``` $ kubectl exec -it -n oauth2-proxy oauth2-proxy-85c9f58ffc-dz9lr sh /opt $ whoami whoami: unknown uid 10001 /opt $ ps aux PID USER TIME COMMAND 1 10001 0:00 /opt/oauth2_proxy --whitelist-domain=.example.com --cookie-domain=example.com --email-domain=example.com --upstream=file:///dev/null --http-address=0.0.0.0:4180 11 10001 0:00 sh 17 10001 0:00 ps aux ``` <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] My change requires a change to the documentation or CHANGELOG. - [x] I have updated the documentation/CHANGELOG accordingly. - [x] I have created a feature (non-master) branch for my PR.
-
- Mar 04, 2019
-
-
Marcel D. Juhnke authored
* added karrieretutor go-oidc fork for using an AAD B2C Policy * added karrieretutor go-oidc fork for using an AAD B2C Policy * added --skip-oidc-discovery option * added --skip-oidc-discovery option * add simple test for skip-oidc-discovery option * revert Dockerfile to pusher upstream * revert Dockerfile to pusher upstream * remove karrieretutor b2c option leftover * remove karrieretutor b2c option leftover * Fix typo (missing letters) Co-Authored-By: marratj <marrat@marrat.de> * Fix typo (missing letters) Co-Authored-By: marratj <marrat@marrat.de> * replace fake http client with NewProvider() from go-oidc * remove OIDC UserInfo URL option (not required) * add info about -skip-oidc-discovery to README * add note to changelog * Update outdated comment
-