sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

Overview

sso

See our launch blog post for more information!

CircleCI MIT license Docker Automated build codecov.io

Please take the SSO Community Survey to let us know how we're doing, and to help us plan our roadmap!


sso — lovingly known as the S.S. Octopus or octoboi — is the authentication and authorization system BuzzFeed developed to provide a secure, single sign-on experience for access to the many internal web apps used by our employees.

It depends on Google as its authoritative OAuth2 provider, and authenticates users against a specific email domain. Further authorization based on Google Group membership can be required on a per-upstream basis.

The main idea behind sso is a "double OAuth2" flow, where sso-auth is the OAuth2 provider for sso-proxy and Google is the OAuth2 provider for sso-auth.

sso is built on top of Bitly’s open source oauth2_proxy

In a nutshell:

  • If a user visits an sso-proxy-protected service (foo.sso.example.com) and does not have a session cookie, they are redirected to sso-auth (sso-auth.example.com).
    • If the user does not have a session cookie for sso-auth, they are prompted to log in via the usual Google OAuth2 flow, and then redirected back to sso-proxy where they will now be logged in (to foo.sso.example.com)
    • If the user does have a session cookie for sso-auth (e.g. they have already logged into bar.sso.example.com), they are transparently redirected back to proxy where they will be logged in, without needing to go through the Google OAuth2 flow
  • sso-proxy transparently re-validates & refreshes the user's session with sso-auth

Installation

Quickstart

Follow our Quickstart guide to spin up a local deployment of sso to get a feel for how it works!

Code of Conduct

Help us keep sso open and inclusive. Please read and follow our Code of Conduct.

Contributing

Contributions to sso are welcome! Please follow our contribution guideline.

Issues

Please file any issues you find in our issue tracker.

Security Vulns

If you come across any security vulnerabilities with the sso repo or software, please email [email protected]. In your email, please request access to our bug bounty program so we can compensate you for any valid issues reported.

Maintainers

sso is actively maintained by the BuzzFeed Infrastructure teams.

Notable forks

  • pomerium an identity-access proxy, inspired by BeyondCorp.
Comments
  • sso-auth: add all providers from oauth2_proxy

    sso-auth: add all providers from oauth2_proxy

    This project looks promising and it would be a sure winner if you add support for all the providers currently supported by bitlys oauth2_proxy project https://github.com/bitly/oauth2_proxy. Especially because that project is really being maintained

    enhancement help wanted 
    opened by eforbus 33
  • sso-auth: issue with group validation

    sso-auth: issue with group validation

    Describe the bug I configured the buzzfeed SSO proxy to allow only specific groups inside of my google organization, but I can still login with an account which is not part of any group specified in the allowed groups.

    I'll attach only some of the (relevant) redacted configurations before I paste all the configurations

    Upstream config:

    - service: kibana
      default:
        from: kibana.service.ops.company.com
        to: http://kibana-logging.logging:5601
      options:
        allowed_groups:
          - [email protected]
          - [email protected]
    

    Logs when I am logging in with my not allowed user (which is only part of [email protected] but not part of group1 and group2):

    {"error":"http: named cookie not present","level":"error","msg":"error authenticating user","remote_address":"x.x.x.x","service":"sso-proxy","time":"2018-11-27 16:17:25.11274"}
    {"level":"info","msg":"starting OAuth flow","service":"sso-proxy","sign_in_url":{"Scheme":"https","Opaque":"","User":null,"Host":"sso-auth.service.ops.company.com","Path":"/sign_in","RawPath":"","ForceQuery":false,"RawQuery":"client_id=WTM4bkE3bWhPK0crMkp0QThTMWFwQUFkMWRrUkROcW0%3D\u0026redirect_uri=https%3A%2F%2Fkibana.service.ops.company.com%2Foauth2%2Fcallback\u0026response_type=code\u0026scope=\u0026sig=neUgpMO7aaAHxHHoj70RGot1e9glODgupdmBLM8ig3Y%3D\u0026state=9bsMNh4FKHWboLsCG_pwU9VmrUC5bgEqLukrwgM1QBVyN3qCPnMQpn0ltd17nIFw8O7CVj-eB6t8_6shM9keSTZlQyiquPbU5kaQwQaCC_3Jn0y7cETaei9b7Fnj8amIvMaLtC1VwNBQHrRroB90RuDRRVrvWLXa1m3o0qxHfwfpqwC5RzeokNYk_Jg9IwGMjr80PnfwAsDPs1wlbtiF7lQ%3D\u0026ts=1543335445","Fragment":""},"time":"2018-11-27 16:17:25.11274"}
    {"action":"proxy","http_status":302,"level":"info","msg":"","remote_address":"x.x.x.x","request_duration":0.39268000000000003,"request_method":"GET","request_uri":"kibana.service.ops.company.com/ui/favicons/favicon-16x16.png","service":"sso-proxy","time":"2018-11-27 16:17:25.11274","user":"","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"}
    {"allowed_groups":null,"level":"info","msg":"validating groups","service":"sso-proxy","time":"2018-11-27 16:17:25.11274","user":"[email protected]"}
    {"in_groups":[],"level":"info","msg":"authentication complete","remote_address":"x.x.x.x","service":"sso-proxy","time":"2018-11-27 16:17:25.11274","user":"[email protected]"}
    {"action":"callback","http_status":302,"level":"info","msg":"","remote_address":"x.x.x.x","request_duration":2.855855,"request_method":"GET","request_uri":"kibana.service.ops.company.com/oauth2/callback?code=n4_dBI-clrawxIAbZC8JtUFshHisUEczKNxnCQE4lNENI9vwGucLU9UYIrcidACFIS-kaf2sOvWRjTi5sVBwagzIbW4EKn05IOyuyvnhzgpEh1baQMdt3hT6raowgzX_9EODkFRRDf5-6A6z-L50jH2UhZzmS_7pOwVzzWEr1d55c41nB0r75PSq7UCSnhLACTEdR8uz69jWfOjy3K2aguq1tu83x4apr8vF8LBqtnHOsR_lI4DKOzt9w8RN9xMA3XCEbSueJhRE-7e-sELaAndDOXPrs23od7rYo_pobJVrtVn1uEPGcwHIr2i5YzuW2EEu2ceqvVPAaf9pi6DvhWF4ge0VaeQMmOMZmNR11TX_YX4VpOzRcQ0Zhw_XvaukOFv-5YXuEAjuVJksfm890e0jav3Mo4VVDROPYhBvGrBJWpeNHKPns3RzLvhmfKI1g6Qy3UMSNCEh322cqCmh6LYAYqHycV_A5hFItRlYMFvXOPWV7k_VpI9_nSda5coc5bRLk_Br51g6TU1W4jm8DIna-tQVdQ3d6M5vlzArckYWKBW4A8rVSUbAtUA8_T89sigxg0i0Jx6MHES89S425jsPXzfGSCoATbSTtnq06KMX8uoGdscisRXe1npIb_6tWe9Mdnw%3D\u0026state=9bsMNh4FKHWboLsCG_pwU9VmrUC5bgEqLukrwgM1QBVyN3qCPnMQpn0ltd17nIFw8O7CVj-eB6t8_6shM9keSTZlQyiquPbU5kaQwQaCC_3Jn0y7cETaei9b7Fnj8amIvMaLtC1VwNBQHrRroB90RuDRRVrvWLXa1m3o0qxHfwfpqwC5RzeokNYk_Jg9IwGMjr80PnfwAsDPs1wlbtiF7lQ%3D","service":"sso-proxy","time":"2018-11-27 16:17:25.11274","user":"","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"}
    {"action":"proxy","http_status":200,"level":"info","msg":"","remote_address":"x.x.x.x","request_duration":3.2140099999999996,"request_method":"GET","request_uri":"kibana.service.ops.company.com/ui/favicons/favicon-16x16.png","service":"sso-proxy","time":"2018-11-27 16:17:25.11274","user":"[email protected]","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36"}
    {"action":"ping","http_status":200,"level":"info","msg":"","remote_address":"10.0.4.1:46784","request_duration":0.010053,"request_method":"GET","request_uri":"10.0.4.123:4180/ping","service":"sso-proxy","time":"2018-11-27 16:17:31.11274","user":"","user_agent":"kube-probe/1.11+"}
    

    Expected behavior Even if it is a missconfiguration on my side I'd expect definetely a more verbose log, which indicates during the login what groups are allowed, and what groups the logged user is attached to. Also I couldn't find any log lines which indicate that the service has successfully read all groups my google organization. I'd expect something like a list of read groups (or the number of successfully read groups using the google admin api credentials).

    For instance the log line below should probably show the groups the user [email protected] is part of, right? If this is correct, this doesn't work apparently, and I haven't seen any error logs right after starting the service (e. g. "Couldn't read groups from google organization"), nor did I receive a message which says, yes it worked.

    {"in_groups":[],"level":"info","msg":"authentication complete","remote_address":"x.x.x.x","service":"sso-proxy","time":"2018-11-27 16:17:25.11274","user":"[email protected]"}
    

    Question:

    How can I see if pulling the group information from my google organization did work or not?

    Should the property in_groups during a login process show the organization groups which the user is part of?

    question papercuts 
    opened by weeco 19
  • Refactor provider options

    Refactor provider options

    Introduces a simple switch to initialize the provider to allow for new providers to be subsequently added.

    I did consider removing the TestGoogleGroupInvalidFile function and including it in TestNewOptions, since it no longer requires a panic recovery, but that seemed like maybe the wrong solution once multiple providers are introduced.

    Fixes #6.

    opened by sporkmonger 14
  • Cookie overflow fix

    Cookie overflow fix

    Problem

    Azure AD (#118) produces massive 3kb tokens. Storing them directly inside cookies produces around 5kb of cookie after compression (#95) and encryption. Browsers typically limit sites to only 4096 bytes (or in some cases, very slightly less) per cookie, with about 110 bytes or so being used up by the cookie name and various attributes. So in practice, you can only store about 3986ish bytes per cookie, which the Azure AD provider goes way past.

    Solution

    Since we don't want to maintain server-side state, I've implemented a cookie store that automatically spans the data being stored across multiple cookies when needed, using a byte length prefix in the first cookie. It uses ~ as the delimiter between the cookie length prefix and the spanned cookie value since it's not used by any base64 encoding and also not escaped in URLs, HTTP headers, or HTML forms. The prefix is simply a base64 encoded binary serialization of the integer byte length.

    Notes

    The prefix length isn't signed or encrypted and could be altered by a malicious client, however altering it should't do anything beneficial. It should just result in an error (all error conditions covered in test cases).

    opened by sporkmonger 13
  • sso-proxy: websocket support

    sso-proxy: websocket support

    Is your feature request related to a problem? Please describe. I did a readthrough of the proxy code and believe that there is no support for websockets, since httputil.ReverseProxy does not support websockets out of the box. It would be great to add them.

    Describe the solution you'd like Let's add websocket support. It'd look roughly like this: https://github.com/samsarahq/oauth2_proxy/pull/1/files#diff-6fd8df33d9f8086bc31e28c375fbc0abR99

    Describe alternatives you've considered I didn't consider an alternative apart from not using this library.

    Additional context n/a

    enhancement 
    opened by stephen 13
  • Unable to use Forward Proxy in SSO Auth for oauth token

    Unable to use Forward Proxy in SSO Auth for oauth token

    We are running buzzfeed-sso in a private cluster which don't have access to internet. For Applications which will communicate to internet facing services we are using a forward proxy(Squid) hosted in same network.

    Using below Environment variables to connect with Proxy:

    HTTPS_PROXY=http://squid.local:1234 HTTP_PROXY=http://squid.local:1234 no_proxy=cluster.local (For internal communication)

    We are getting below error from the sso-authenticator application.

    {"error":"Post https://www.googleapis.com/oauth2/v4/token: dial tcp 142.250.183.42:443: i/o timeout","level":"error","msg":"error redeeming authentication code","remote_address":"<redacted>","service":"sso-authenticator","time":"2021-05-23 16:31:43.135"} Is there any other way to achieve this?

    opened by saithejareddy 11
  • sso-auth: add provider for individual e-mail address authentication

    sso-auth: add provider for individual e-mail address authentication

    Problem

    Addresses: https://github.com/buzzfeed/sso/issues/32

    Solution

    Add new parameters: AUTH: SSO_EMAIL_ADDRESSES PROXY: EMAIL_ADDRESSES

    If parameters provided they override SSO_EMAIL_DOMAIN and EMAIL_DOMAIN respectively. New parameters use a validater to check full e-mail address.

    Notes

    Example deployment:

    ---
    apiVersion: v1
    kind: Namespace
    metadata:
      labels:
        k8s-app: sso
      name: sso
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      labels:
        k8s-app: sso
      name: sso-authenticated-emails
      namespace: sso
    type: Opaque
    data:
      emails: "<BASE64_SECRET>"
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      labels:
        k8s-app: sso
        component: auth
      name: sso-auth-secrets
      namespace: sso
    type: Opaque
    data:
      CLIENT_ID: "<BASE64_SECRET>"
      CLIENT_SECRET: "<BASE64_SECRET>"
      AUTH_CODE_SECRET: "<BASE64_SECRET>"
      COOKIE_SECRET: "<BASE64_SECRET>"
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      labels:
        k8s-app: sso
        component: proxy
      name: sso-proxy-secrets
      namespace: sso
    type: Opaque
    data:
      CLIENT_ID: "<BASE64_SECRET>"
      CLIENT_SECRET: "<BASE64_SECRET>"
      AUTH_CODE_SECRET: "<BASE64_SECRET>"
      COOKIE_SECRET: "<BASE64_SECRET>"
    ---
    apiVersion: v1
    kind: ConfigMap
    metadata:
      labels:
        k8s-app: sso
      name: sso-upstream-configs
      namespace: sso
    data:
      upstream_configs.yml: |-
        - service: hello-world
          default:
            from: hello-world.sso.domain.com
            to: http://hello-world.default.svc.cluster.local
    ---
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      labels:
        k8s-app: sso
        component: proxy
      name: sso-proxy
      namespace: sso
    spec:
      replicas: 1
      template:
        metadata:
          labels:
            k8s-app: sso
            component: proxy
        spec:
          containers:
          - image: tahoward/sso
            name: sso-proxy
            command: ["/bin/sso-proxy"]
            ports:
            - containerPort: 4180
            env:
              - name: EMAIL_ADDRESSES
                valueFrom:
                  secretKeyRef:
                    name: sso-authenticated-emails
                    key: emails
              - name: UPSTREAM_CONFIGS
                value: /sso/upstream_configs.yml
              - name: PROVIDER_URL
                value: https://auth.domain.com
              - name: CLIENT_ID
                valueFrom:
                  secretKeyRef:
                    name: sso-proxy-secrets
                    key: CLIENT_ID
              - name: CLIENT_SECRET
                valueFrom:
                  secretKeyRef:
                    name: sso-proxy-secrets
                    key: CLIENT_SECRET
              - name: AUTH_CODE_SECRET
                valueFrom:
                  secretKeyRef:
                    name: sso-proxy-secrets
                    key: AUTH_CODE_SECRET
              - name: COOKIE_SECRET
                valueFrom:
                  secretKeyRef:
                    name: sso-proxy-secrets
                    key: COOKIE_SECRET
              # STATSD_HOST and STATSD_PORT must be defined or the app wont launch, they dont need to be a real host / port, but they do need to be defined.
              - name: STATSD_HOST
                value: localhost
              - name: STATSD_PORT
                value: "11111"
              - name: COOKIE_SECURE
                value: "false"
              - name: CLUSTER
                value: dev
              - name: VIRTUAL_HOST
                value: "*.sso.domain.com"
            readinessProbe:
              httpGet:
                path: /ping
                port: 4180
                scheme: HTTP
            livenessProbe:
              httpGet:
                path: /ping
                port: 4180
                scheme: HTTP
              initialDelaySeconds: 10
              timeoutSeconds: 1
            resources:
              limits:
                memory: "256Mi"
                cpu: "200m"
            volumeMounts:
            - name: upstream-configs
              mountPath: /sso
          volumes:
            - name: upstream-configs
              configMap:
                name: sso-upstream-configs
    ---
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      labels:
        k8s-app: sso
        component: auth
      name: sso-auth
      namespace: sso
    spec:
      replicas: 1
      template:
        metadata:
          labels:
            k8s-app: sso
            component: auth
        spec:
          containers:
          - image: tahoward/sso
            name: sso-auth
            command: ["/bin/sso-auth"]
            ports:
            - containerPort: 4180
            env:
              - name: SSO_EMAIL_ADDRESSES
                valueFrom:
                  secretKeyRef:
                    name: sso-authenticated-emails
                    key: emails
              - name: HOST
                value: auth.domain.com
              - name: REDIRECT_URL
                value: https://auth.domain.com
              - name: PROXY_ROOT_DOMAIN
                value: domain.com
              - name: CLIENT_ID
                valueFrom:
                  secretKeyRef:
                    name: sso-auth-secrets
                    key: CLIENT_ID
              - name: CLIENT_SECRET
                valueFrom:
                  secretKeyRef:
                    name: sso-auth-secrets
                    key: CLIENT_SECRET
              - name: PROXY_CLIENT_ID
                valueFrom:
                  secretKeyRef:
                    name: sso-proxy-secrets
                    key: CLIENT_ID
              - name: PROXY_CLIENT_SECRET
                valueFrom:
                  secretKeyRef:
                    name: sso-proxy-secrets
                    key: CLIENT_SECRET
              - name: AUTH_CODE_SECRET
                valueFrom:
                  secretKeyRef:
                    name: sso-auth-secrets
                    key: AUTH_CODE_SECRET
              - name: COOKIE_SECRET
                valueFrom:
                  secretKeyRef:
                    name: sso-auth-secrets
                    key: COOKIE_SECRET
              # OLD_COOKIE_SECRET is the same as COOKIE_SECRET, not sure why its even needed at this point
              - name: OLD_COOKIE_SECRET
                valueFrom:
                  secretKeyRef:
                    name: sso-auth-secrets
                    key: COOKIE_SECRET
              # STATSD_HOST and STATSD_PORT must be defined or the app wont launch, they dont need to be a real host / port
              - name: STATSD_HOST
                value: localhost
              - name: STATSD_PORT
                value: "11111"
              - name: COOKIE_SECURE
                value: "false"
              - name: CLUSTER
                value: dev
              - name: VIRTUAL_HOST
                value: auth.domain.com
            readinessProbe:
              httpGet:
                path: /ping
                port: 4180
                scheme: HTTP
            livenessProbe:
              httpGet:
                path: /ping
                port: 4180
                scheme: HTTP
              initialDelaySeconds: 10
              timeoutSeconds: 1
            resources:
              limits:
                memory: "256Mi"
                cpu: "200m"
    ---
    apiVersion: v1
    kind: Service
    metadata:
      labels:
        k8s-app: sso
        component: proxy
      name: sso-proxy
      namespace: sso
    spec:
      ports:
      - port: 80
        targetPort: 4180
        name: http
      selector:
        k8s-app: sso
        component: proxy
    ---
    apiVersion: v1
    kind: Service
    metadata:
      labels:
        k8s-app: sso
        component: auth
      name: sso-auth
      namespace: sso
    spec:
      ports:
      - port: 80
        targetPort: 4180
        name: http
      selector:
        k8s-app: sso
        component: auth
    ---
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      labels:
        k8s-app: sso
      annotations:
        certmanager.k8s.io/cluster-issuer: letsencrypt
        certmanager.k8s.io/acme-challenge-type: dns01
        certmanager.k8s.io/acme-dns01-provider: cloudflare
      name: sso-ingress
      namespace: sso
    spec:
      rules:
      - host: auth.domain.com
        http:
          paths:
          - backend:
              serviceName: sso-auth
              servicePort: 80
            path: /
      - host: "*.sso.domain.com"
        http:
          paths:
          - backend:
              serviceName: sso-proxy
              servicePort: 80
            path: /
      tls:
      - secretName: sso-auth-cert
        hosts: 
        - auth.domain.com
      - secretName: sso-proxy-cert
        hosts: 
        - "*.sso.domain.com"
    ---
    # HELLO WORLD
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: hello-world
      labels:
        k8s-app: hello-world
    spec:
      replicas: 1
      template:
        metadata:
          labels:
            k8s-app: hello-world
        spec:
          containers:
          - image: tutum/hello-world:latest
            name: hello-world
            ports:
            - containerPort: 80
    ---
    kind: Service
    apiVersion: v1
    metadata:
      labels:
        k8s-app: hello-world
      name: hello-world
    spec:
      ports:
      - port: 80
      selector:
        k8s-app: hello-world
    
    enhancement 
    opened by tahoward 11
  • Error redeeming authorization code

    Error redeeming authorization code

    I just setup the SSO auth, but I get an internal server error after I chose my google account:

    The SSO proxy log says:

    {"error":"got 403 from \"https://sso-auth.service.int.mydomain.com/redeem\" \u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e403 Forbidden\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\"white\"\u003e\r\n\u003ccenter\u003e\u003ch1\u003e403 Forbidden\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003enginx/1.15.3\u003c/center\u003e\r\n\u003c/body\u003e\r\n\u003c/html\u003e\r\n","level":"error","msg":"error redeeming authorization code","remote_address":"x.x.x.x","service":"sso-proxy","time":"2018-10-26 14:51:39.10262"}
    {"http_status":500,"level":"info","msg":"error page","page_message":"Internal Error","page_title":"Internal Error","service":"sso-proxy","time":"2018-10-26 14:51:39.10262"}
    

    What is this error message supposed to tell me and how can I fix it?

    error redeeming authorization code

    In the SSO auth container I only see a few 302 redirects, but no error messages or warnings.

    opened by weeco 11
  • Static assets now built into the binary

    Static assets now built into the binary

    Problem

    Fixes #7, simplifies deployment.

    Solution

    Bake static assets into a .go file that functions as a file server.

    Notes

    Opted to use https://github.com/rakyll/statik over https://github.com/jteeuwen/go-bindata since it's actively maintained.

    opened by sporkmonger 11
  • Make TLS verification of upstream servers configurable

    Make TLS verification of upstream servers configurable

    When pointing the proxy directly at an AWS ALB, e.g., the cert presented by the ALB is guaranteed to be invalid, as you can't get a cert for *.elb.amazonaws.com. Depending on your deployment setup you may or may not be able to easily automate creation of corresponding DNS records to match your certs. And of course your certs might be self-signed. Therefore it's desirable to be able to disable TLS verification for upstream servers in some cases. Particularly because the real security barrier is the necessary firewall rule that ensures nothing else can talk to the upstream server.

    Fixes #47.

    opened by sporkmonger 11
  • sso-auth: Members in a group within a group don't validate

    sso-auth: Members in a group within a group don't validate

    I've setup group validation using Gsuite, and that is working correctly, however my groups may contain other groups (to build an easier hierarchy).

    It seems that when a group contains one or more other groups, that sso-auth does not traverse down into those other groups to validate if the user is a member of those. In the mean time I've added those additional groups to the sso-proxy configuration, but I would prefer to be able to use the nesting mechanism already present in Gsuite.

    To Reproduce Steps to reproduce the behavior:

    1. Create new group in Gsuite
    2. Add a group as member in that new group created in 1
    3. Add the new group created in 1 as the allowed_groups in sso-proxy's upstream config
    4. Notice that a user that is in the sub-group is not granted access to the resource

    Expected behavior

    I would expect sso-auth to traverse the groups found within a group for a match too.

    enhancement 
    opened by bertjwregeer 10
  • pkg/logging: Use RFC3339 compatible time format

    pkg/logging: Use RFC3339 compatible time format

    Signed-off-by: Nam Hai Nguyen [email protected]

    Problem

    Logging pkg doesn't use either RFC3339 or ISO 8601 time format, then we have to parse SSO logs specifically.

    Solution

    Use a valid RFC 3339 time format.

    Referece: https://ijmacd.github.io/rfc3339-iso8601/

    Notes

    Other pertinent information. Examples: a walkthrough of how the solution might work, why this solution is optimal compared to other possible solutions, or further TODOs beyond this PR.

    opened by namm2 0
  • build(deps): bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.8

    build(deps): bump gopkg.in/yaml.v2 from 2.2.2 to 2.2.8

    Bumps gopkg.in/yaml.v2 from 2.2.2 to 2.2.8.

    Commits
    • 53403b5 Optimize cases with long potential simple_keys (#555)
    • 1f64d61 Fix issue in simple_keys improvements (#548)
    • a95acef Update travis config to use latest go versions (#540)
    • 36babc3 Port stale simple_keys fix to v2 (#543)
    • 770b8da Fix Decorder doc typo (#494)
    • 1ed5951 Add Go 1.10-13 to travis setup.
    • f90ceb4 Fix check for non-map alias merging in v2 (#529)
    • 970885f Trivial style tuning on last change.
    • f221b84 Improve heuristics preventing CPU/memory abuse (#515)
    • bb4e33b Add logic to catch cases of alias abuse.
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • build(deps): bump github.com/gorilla/websocket from 1.4.0 to 1.4.1

    build(deps): bump github.com/gorilla/websocket from 1.4.0 to 1.4.1

    Bumps github.com/gorilla/websocket from 1.4.0 to 1.4.1.

    Release notes

    Sourced from github.com/gorilla/websocket's releases.

    v1.4.1

    Notable Changes

    ⚠️ This release fixes a potential denial-of-service (DoS) vector in gorilla/websocket, and we recommend that all users upgrade to this version (v1.4.1) or later

    The vulnerability could allow an attacker to consume excessive amounts of memory on the server by bypassing read limits, and potentially cause the server to go out-of-memory (OOM).

    See the published security advisory for more details.

    Credit to Max Justicz (https://justi.cz/) for discovering and reporting this, as well as providing a robust PoC and review.

    CHANGELOG

    c3e18be Create release-drafter.yml (#538) 5b740c2 Read Limit Fix (#537) 7e9819d fix typos (#532) ae1634f Create CircleCI config.yml (#519) 80c2d40 fix autobahn test suite link (#503) 6a67f44 remove redundant err!=nil check in conn.go Close method (#505) 0ec3d1b Fix typo 856ca61 Add buffer commentary 7c8e298 Add support for go-module 8ab6030 Add JoinMessages 95ba29e Updated autobahn test suite URL 483fb8d Add "in bytes" to sizes in documentation 76e4896 Fix formatting problem in the docs. (#435) a51a35a Improve header parsing code 3130e8d Return write buffer to pool on write error (#427) cdd40f5 Add comprehensive host test (#429)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Dockerimage outdated and has many security erratas/cve

    Dockerimage outdated and has many security erratas/cve

    Describe the bug Currently the docker image is nearly 8 month not changed and using debian as base image with a lot of security cve.

    To Reproduce Not possible.

    Expected behavior Docker image should be maintained and possible errata/cve should be solved.

    Screenshots image image

    Additional context Don't know if I should call the "bug", but it's not a feature request. CVE report was generated with an internal tool. But can recheck for solved CVE, if a new version is published.

    opened by dabde 1
  • Document preserve_host option in `sso_config.md`

    Document preserve_host option in `sso_config.md`

    Preserve host is documented in proxy_config.go as: 'preserve_host - preserve the host named based in up the client request rather than re-writing for the upstream host'.

    It would be great to list this in sso_config.md as well.

    opened by dli7319 0
  • updating k8s configuration

    updating k8s configuration

    Problem

    Kubernetes configuration file are out of date

    Solution

    Match with current sso and kubernetes requirements to make it work

    Notes

    As I followed the original article to setup buzzfeed/sso on K8S back in the days, I kind of lost tracked of what env vars are actually required. Maybe some I use are now out of date but are still available on my cluster.

    opened by 2o1o0 2
Releases(v3.0.0)
Owner
BuzzFeed
BuzzFeed
Home-sso-service - Single-Sign On service with golang

home-sso-service This is Single-Sign On service Dependencies go version go1.15.6

Nguyen Lam 1 May 10, 2022
A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

yinhuanyi 1 Nov 17, 2021
an SSO and OAuth / OIDC login solution for Nginx using the auth_request module

Vouch Proxy An SSO solution for Nginx using the auth_request module. Vouch Proxy can protect all of your websites at once. Vouch Proxy supports many O

Vouch 2k Sep 19, 2022
The Single Sign-On Multi-Factor portal for web apps

Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications

Authelia 14.2k Sep 26, 2022
Basic Single Sign-On with Go

Basic Single Sign-On (SSO) This is a basic project to implement SSO with Go. List Structure Configuration Database Implement Register Request Check Us

Milad Poshtdari 0 Nov 5, 2021
Provides AWS STS credentials based on Google Apps SAML SSO auth with interactive GUI support

What's this This command-line tool allows you to acquire AWS temporary (STS) credentials using Google Apps as a federated (Single Sign-On, or SSO) pro

Quan Hoang 33 Sep 17, 2022
Makes dealing with AWS SSO Logins an ease

go-aws-sso Make working with AWS SSO on local machines an ease. What is it about? Choose and retrieve short-living role credentials from all of your S

Tim Heurich 47 Jul 18, 2022
Lightweight SSO Login System

login Lightweight SSO Login System Convention Redirect to login.changkun.de?redirect=origin When login success, login.changkun.de will redirect to ori

Changkun Ou 4 Dec 1, 2021
A distribute SSO system

single-sign-on-system 一:SSO单点登录系统开发总结 (一):整体架构分析 基于go-oauth2/oauth2库实现的前端分离SSO单点登录系统 (二):系统技术点分析 当前系统的业务技术栈如下 Vue3 、ElementUI 作为前端页面 Nginx 用于解决系统之间的跨域

yinhuanyi 3 Aug 9, 2022
Sign, encrypt and authenticate http cookies with golang

ecookie sign, encrypt and authenticate cookies with golang... this package uses rabbit cipher to encrypt and blake2 hash function in order to authenti

Sina Ghaderi 5 Feb 3, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

Duo Labs 937 Sep 20, 2022
Handle Web Authentication for Go apps that wish to implement a passwordless solution for users

WebAuthn Library This library is meant to handle Web Authentication for Go apps that wish to implement a passwordless solution for users. While the sp

null 10 Sep 18, 2022
The mep-agent module provides proxy services for 3rd applications to MEP.

Mep-Agent Introduction Mep-Agent is a middleware that provides proxy services for third-party apps. It can help apps, which do not implement the ETSI

EdgeGallery 21 Mar 9, 2022
Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC

Casbin 4.2k Sep 25, 2022
Home-sso-service - Single-Sign On service with golang

home-sso-service This is Single-Sign On service Dependencies go version go1.15.6

Nguyen Lam 1 May 10, 2022
A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

A single sign-on solution based on go-oauth2 / oauth2 and gin-gonic/gin

yinhuanyi 1 Nov 17, 2021
Kitex byte-dance internal Golang microservice RPC framework with high performance and strong scalability, customized extensions for byte internal.

Kitex 字节跳动内部的 Golang 微服务 RPC 框架,具有高性能、强可扩展的特点,针对字节内部做了定制扩展。

CloudWeGo 5.1k Sep 24, 2022
log4jScanner: provides you with the ability to scan internal (only) subnets for vulnerable log4j web servicelog4jScanner: provides you with the ability to scan internal (only) subnets for vulnerable log4j web service

log4jScanner Goals This tool provides you with the ability to scan internal (only) subnets for vulnerable log4j web services. It will attempt to send

Profero 475 Sep 17, 2022
Scylla-octopus is a backup and maintenance utility for scylladb.

scylla-octopus: a scylladb backup utility Scylla-octopus is a backup and maintenance utility for scylladb. It attempts to reproduce some functionality

Kolesa Group 24 Jul 22, 2022
Fast :zap: reverse proxy in front of any GraphQL server for caching, securing and monitoring.

Fast ⚡ reverse proxy in front of any GraphQL server for caching, securing and monitoring. Features ?? Caching RFC7234 compliant HTTP Cache. Cache quer

GBox Proxy 19 Sep 3, 2022