Commit Graph

101 Commits

Author SHA1 Message Date
github-actions[bot]
055a63432c
update to release version v7.7.1 2024-10-08 14:41:41 +02:00
github-actions[bot]
f432cf79e2
update to release version v7.7.0 2024-10-01 11:15:46 +02:00
Edvard Gjessing Bakken
e91f09875a Update docker-compose-nginx.yaml
working nginx example. docker-compose-nginx was missing some configuration to run out of the box.
2024-09-15 09:28:42 +02:00
igor.udot
076d2df246 fix: add the OAuth2 image to the local environment examples in the compose file 2024-08-28 23:38:57 +02:00
renovate[bot]
100ffdcb3d
chore(deps): update docker-compose (#2714)
* chore(deps): update docker-compose

* reduce specificity of keycloak tag

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
2024-07-25 23:23:17 +02:00
renovate[bot]
5aea780e46 chore(deps): update helm release oauth2-proxy to v7.7.9 2024-07-25 23:14:31 +02:00
Koen van Zuijlen
ce8b63bc21
chore(examples): update keycloak to v25 (#2706)
---------

Co-authored-by: tuunit <jan@larwig.com>
2024-07-18 23:57:15 +02:00
renovate[bot]
8a6a3ef3a4
chore(deps): update docker-compose 2024-07-14 20:00:56 +00:00
renovate[bot]
6c0d1c5672 chore(deps): update helm release oauth2-proxy to v7.7.8 2024-07-01 21:57:05 +02:00
renovate[bot]
a472392b81
chore(deps): update helm release oauth2-proxy to v7 2024-06-23 16:52:19 +00:00
renovate[bot]
92c2f06bf7
chore(deps): update helmv3 2024-06-10 15:20:55 +00:00
renovate[bot]
252c978c5b
chore(deps): update docker-compose 2024-06-10 12:36:37 +00:00
renovate[bot]
36f8dbcbcc
chore(deps): update docker-compose (#2558)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2024-03-30 15:48:32 +07:00
Martin
2ffa92b1c9
oauth2-proxy.service.example: Remove syslog.target (#2538)
Remove syslog.target from service file, this target hasn't existed for over a decade.

6aa8d43ade/NEWS (L72-L73)
2024-03-30 15:48:11 +07:00
Lautaro Jayat
33088053a5
feat: adding scope to oauth2-proxy.cfg.example (#2489) 2024-03-30 15:36:17 +07:00
kvanzuijlen
cdcc6fb4c0
Merge branch 'master' into renovate-config
# Conflicts:
#	.github/workflows/publish-release.yml
#	contrib/local-environment/docker-compose-gitea.yaml
2024-03-04 00:44:12 +01:00
github-actions[bot]
b009395223
update to release version v7.6.0 2024-02-13 10:00:54 +00:00
kvanzuijlen
dd5576f2b2
chore: Added renovate configuration 2024-01-27 09:57:42 +01:00
WhiteRabbit-Code
5ba54df3e7
NGINX return 403 for sign_in (#2322) (#2323)
Co-authored-by: Sven Ertel <sven.ertel@bayernwerk.de>
2024-01-20 19:08:46 +00:00
Lino Layani
5d5f7ce343
fix: fix nginx setup (#2373) 2024-01-02 10:53:58 +00:00
Jan Larwig
53cd0b83d3
add contribution guide to documentation (#2318)
* add contribution guide to doucmentation

* fix EOF
2023-11-13 10:27:28 +00:00
Charley Wu
5e8956b52f
Improve the Nginx auth_request example (#2278)
* The `X-Forwarded-Uri` was required to bypass authentication

- Fix the `skip_auth_routes` option not working in Nginx

* Add tests for allowed requests with proxied `X-Forwarded-Uri` header

* Avoid nginx startup failure: host not found in upstream "oauth2-proxy"

* The `--reverse-proxy` option is required for nginx

* Update the change logs

* Use the authOnlyPath constant

* Remove the unused header `X-Scheme`
2023-11-02 22:57:21 +00:00
Koen van Zuijlen
66a81e6eeb
Updated oauth2-proxy tags to 7.5.1 (#2303) 2023-10-31 19:53:03 +00:00
Robert Deaton
e55ac342f0
Use updated key names in oauth2-proxy-alpha-config.yaml (#2253) 2023-10-31 19:42:46 +00:00
Ryan Gough
20244470a4
Missing closing quotes on api_routes example (#2123)
While parsing config: (28, 4): unescaped control character U+000A
2023-09-22 14:42:44 +01:00
Jan Larwig
13af1b4786
fix gitea token validation by allowing custom validation url and extracting the proper base api url for github cloud, github enterprise and gitea (#2194) 2023-09-14 10:09:57 +01:00
kvanzuijlen
07591fc93a
Update changelog for v7.5.0 release 2023-09-04 12:28:38 +02:00
Kobi Meirson
f753ec1ca5
feat: readiness check (#1839)
* feat: readiness check

* fix: no need for query param

* docs: add a note

* chore: move the readyness check to its own endpoint

* docs(cr): add godoc

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-12-23 09:08:12 +00:00
Joel Speed
2c21b2830d
Update changelog for v7.4.0 release 2022-10-29 13:19:48 +01:00
Segfault16
965fab422d
Add API route config (#1760)
* Add API route config

In addition to requests with Accept header `application/json` return 401 instead of 302 to login page on requests matching API paths regex.

* Update changelog

* Refactor

* Remove unnecessary comment

* Reorder checks

* Lint Api -> API

Co-authored-by: Sebastian Halder <sebastian.halder@boehringer-ingelheim.com>
2022-09-11 16:09:32 +01:00
Giau. Tran Minh
3d6ccc7cf7
k8s: fixed invalid cookie_domain 2022-08-28 17:54:32 +07:00
Joel Speed
95e1a4973e
Update CHANGELOG for v7.3.0 release 2022-05-29 15:36:50 +01:00
Braunson
ce750e9b30
PKCE Support (#1541)
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.

Signed-off-by: Valentin Pichard <github@w3st.fr>

* Fix provider data initialisation

* PKCE Support

Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.

- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them

Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server.  Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2

oauth2-proxy will always use S256 unless the user explicitly forces `plain`.

Fixes #1361

* Address PR comments by moving pkce generation

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Make PKCE opt-in, move to using the Nonce generater for code verifier

* Encrypt CodeVerifier in CSRF Token instead of Session

- Update Dex for PKCE support
- Expose HTTPBin for further use cases

* Correct the tests

* Move code challenges into extra params

* Correct typo in code challenge method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Correct the extra space in docs

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address changelog and new line nits

* Add generated docs

Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
2022-03-13 10:08:33 +00:00
Magnus Lübeck
dede6fd531
Fixing a typo, pointing to correct compose file (#1493)
Fixing a typo for the docker-compose-alpha-config.yaml
2021-12-29 19:50:36 +00:00
Joel Speed
5515918436
Prepare changelog for release v7.2.1 2021-12-18 12:59:55 +00:00
Joel Speed
976dc35805
Update CHANGELOG for v7.2.0 release 2021-10-22 18:11:26 +01:00
Luka Zakrajšek
d3e036d619 Add force-json-errors flag 2021-10-05 11:24:47 +02:00
Philippe Bürgisser
45e45303ad
Adding example for auth skiping 2021-08-27 10:53:57 +02:00
Nick Meves
2dd4a9647a
Update Changelog for release v7.1.3 2021-04-28 09:41:18 -07:00
yanasega
42475c28f7
Multiple providers in alpha config (#947)
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* fixed typo

* removed weird : file

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/apis/options/providers.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.

* fixed lint issues

* additional lint fixes

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* auto generates alpha_config.md

* rebase (mainly service alpha options related conflicts)

* removed :

* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options

* small CR changes

* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG

* "cntd. rebase"

* ran make generate again

* last conflicts

* removed duplicate client id validation

* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0

* fixed TestGoogleGroupOptions test

* ran make generate

* moved CHANGLOG line to 7.1.1

* moved changelog comment to 7.1.2 (additional rebase)

Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2021-04-03 17:06:30 +01:00
Joel Speed
fbe5743dd4
Update Changelog for release v7.1.2 2021-04-01 19:07:22 +01:00
Joel Speed
46c3296330
Prepare for release v7.1.1 2021-03-28 19:25:46 +01:00
Joel Speed
b0949a4efb
Update changelog for v7.1.0 release 2021-03-25 17:21:08 +00:00
Frédéric Collonval
5788bebfee
Add example local environment with traefik (#1091)
* Add example with traefik and keycloak

* Switch to dex

* Remove unneeded change in keycloak settings

* Taken into account review comments

* Add changelog entry

Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-03-22 13:55:25 +00:00
Joel Speed
e87a51f0e5
Prepare for release v7.0.1 2021-02-10 18:25:39 +00:00
Joel Speed
a909d33355
Update CHANGELOG for release v7.0.0 2021-02-01 18:05:44 +00:00
Kirill Müller
4fda907830
Fix and enhance OIDC example (#934)
* Fix and enhance OIDC example

* Restructure

* Indent

* Add full stop.

* Add link

* Add minimalistic README

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-12-19 15:48:33 +00:00
Joel Speed
5b683a7631
Add local environment that uses alpha configuration 2020-12-01 08:56:50 +00:00
Aaron Peschel
527c0c311c Use New Stable Chart URL
The existing URL no longer works. This commit updates the Chart
dependencies to use the new Stable chart URL.

This will fix the "Chart not found" errors that occur if these example
resources are used.

Please keep in mind this is only a bandaid, as the repository is still
EOL, and should not be used.
2020-11-23 11:45:34 -08:00
Lennart Jern
e14d6ab791 Document bcrypt encryption for htpasswd
Remove mention of (insecure) SHA option for encryption.
2020-09-11 13:32:00 +03:00