A reverse proxy that provides authentication with Google, Github or other providers.

Last update: May 15, 2022

Overview

A reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.

Note: This repository was forked from bitly/OAuth2_Proxy on 27/11/2018. Versions v3.0.0 and up are from this fork and will have diverged from any changes in the original fork. A list of changes can be seen in the CHANGELOG.

Note: This project was formerly hosted as pusher/oauth2_proxy but has been renamed as of 29/03/2020 to oauth2-proxy/oauth2-proxy. Going forward, all images shall be available at quay.io/oauth2-proxy/oauth2-proxy and binaries will be named oauth2-proxy.

Installation

Choose how to deploy:

a. Download Prebuilt Binary (current release is v7.0.1)

b. Build with $ go get github.com/oauth2-proxy/oauth2-proxy which will put the binary in $GOROOT/bin

c. Using the prebuilt docker image quay.io/oauth2-proxy/oauth2-proxy (AMD64, ARMv6 and ARM64 tags available)

Prebuilt binaries can be validated by extracting the file and verifying it against the sha256sum.txt checksum file provided for each release starting with version v3.0.0.

sha256sum -c sha256sum.txt 2>&1 | grep OK
oauth2-proxy-x.y.z.linux-amd64: OK

Security

If you are running a version older than v6.0.0 we strongly recommend you please update to a current version. See open redirect vulnverability for details.

Docs

Read the docs on our Docs site.

Getting Involved

If you would like to reach out to the maintainers, come talk to us in the #oauth2-proxy channel in the Gophers slack.

Contributing

Please see our Contributing guidelines. For releasing see our release creation guide.

Issues

Introduce example kubernetes deployment & documentation

Currently, there is no documentation and/or examples on how to deploy oauth2-proxy on kubernetes. This would be a neat addition, especially for begineer k8s users to have something to base off of.

I'd gladly work on both the example manifests and documentation, provided it's a desired feature.
enhancement help wanted docs Stale

opened by Kamilczak020 52
Support for Microsoft Identity platform with Azure provider
At the moment the Azure provider supports only Azure Active Directory (v1.0) endpoints. Version v1.0 is deprecated by Microsoft and not fully compliant with the OIDC protocol.

Expected Behavior

The azure provider should be able to retrieve a JWT token using the v2.0 endpoint.

Current Behavior

At the moment if you use a v2.0 endpoint you get the error:

AADSTS901002: The 'resource' request parameter is not supported.

Steps to Reproduce (for bugs)

This should be a working configuration:

provider: azure azure-tenant: [REDACTED] oidc-issuer-url: https://login.microsoftonline.com/[REDACTED]/v2.0 resource: 6dae42f8-4368-4678-94ff-3960e28e3630 set-xauthrequest: "true"

Your Environment

AKS managed AAD cluster

Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.5", GitCommit:"9a45ba1752db920873e084791faff8d470278b09", GitTreeState:"clean", BuildDate:"2021-05-19T22:28:02Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}

oauth2-proxy: chart v3.3.2, application v7.1.3

enhancement Stale
opened by mvalenzisi 49

CookieRefresh option does not refresh session age, spams logs

When a session is old enough to be "refreshed", its age is never reset, causing subsequent authenticated requests to continually spam "Refreshing old session cookie" in the logs.

Expected Behavior

When:

--cookie-refresh=1m is set
multiple calls to /oauth2/auth are made over the course of several minutes

I expect that:

in the logs, at most 1 request per minute has a "Refreshing old session cookie" message
in the logs, the age of this request message never significantly exceeds my --cookie-refresh parameter.
On the client, I see an updated cookie with a new CreatedAt

Current Behavior

For simple CookieSession sessions backed by basic auth, every request after the initial refresh duration logs a "Refresh" message.

For OIDC sessions backed by redis, it appears to continually re-authenticate an unexpired access token, until eventually the access token expires.

Possible Solution

When a session should be refreshed, it's CreatedAt could be reset to now. Alternatively, a second RefreshedAt could be tracked. Alternatively, the --cookie-refresh option could be removed.

Steps to Reproduce (for bugs)

A simple reproduction of the case:

Run a test oauth2_proxy (using password file auth for test simplicity)

docker run --mount type=bind,source=/path/to/passwordfolder,target=/data -p 127.0.0.1:4180:4180 quay.io/oauth2-proxy/oauth2-proxy  -http-address='0.0.0.0:4180' -htpasswd-file=/data/passwords.txt -cookie-secret='YmJiYmJiYmJiYmJiYmJiYg==' -client-id=foo -client-secret=bar -cookie-secure=false -cookie-refresh=60s

curl -c cookies.txt -v 'http://127.0.0.1:4180/oauth2/sign_in' --data 'rd=%2F&username=testuser&password=testpassword'

continually re-request authentication status

while true; do
  date
  curl -v '127.0.0.1:4180/oauth2/auth' -c cookies.txt -b cookies.txt
  md5 cookies.txt
  tail -n1 cookies.txt | ruby -rbase64 -rjson -ne 'p JSON.parse(Base64.decode64($_.split.last.split("|").first))'
  sleep 15
done

observe the log output: oauth2_proxy:

172.17.0.1 - testuser [2020/04/13 23:33:58] [AuthSuccess] Authenticated via HtpasswdFile
172.17.0.1 - - [2020/04/13 23:33:58] 127.0.0.1:4180 POST - "/oauth2/sign_in" HTTP/1.1 "curl/7.54.0" 302 0 0.000
172.17.0.1 - testuser [2020/04/13 23:34:03] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.1 "curl/7.54.0" 202 0 0.000
172.17.0.1 - testuser [2020/04/13 23:34:18] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.1 "curl/7.54.0" 202 0 0.000
172.17.0.1 - testuser [2020/04/13 23:34:33] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.1 "curl/7.54.0" 202 0 0.000
172.17.0.1 - testuser [2020/04/13 23:34:49] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.1 "curl/7.54.0" 202 0 0.001
[2020/04/13 23:35:04] [oauthproxy.go:872] Refreshing 1m5.5872417s old session cookie for Session{email: user:testuser PreferredUsername: created:2020-04-13 23:33:58.4127583 +0000 UTC} (refresh after 1m0s)
172.17.0.1 - testuser [2020/04/13 23:35:04] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.1 "curl/7.54.0" 202 0 0.001
[2020/04/13 23:35:19] [oauthproxy.go:872] Refreshing 1m20.5872417s old session cookie for Session{email: user:testuser PreferredUsername: created:2020-04-13 23:33:58.4127583 +0000 UTC} (refresh after 1m0s)
172.17.0.1 - testuser [2020/04/13 23:35:19] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.1 "curl/7.54.0" 202 0 0.000
[2020/04/13 23:35:35] [oauthproxy.go:872] Refreshing 1m36.5872417s old session cookie for Session{email: user:testuser PreferredUsername: created:2020-04-13 23:33:58.4127583 +0000 UTC} (refresh after 1m0s)
172.17.0.1 - testuser [2020/04/13 23:35:35] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.1 "curl/7.54.0" 202 0 0.000
[2020/04/13 23:35:50] [oauthproxy.go:872] Refreshing 1m51.5872417s old session cookie for Session{email: user:testuser PreferredUsername: created:2020-04-13 23:33:58.4127583 +0000 UTC} (refresh after 1m0s)
172.17.0.1 - testuser [2020/04/13 23:35:50] 127.0.0.1:4180 GET - "/oauth2/auth" HTTP/1.1 "curl/7.54.0" 202 0 0.001

bash(edited)

MD5 (cookies.txt) = 19502faba8fd0ea08293130b8b577904
{"User"=>"7F31PtJ13MC1MRepdbxdR57tHIRDAHq7", "CreatedAt"=>"2020-04-13T23:33:58.4127583Z"}
...
MD5 (cookies.txt) = 7e53bd520ddb9dc1e9d7e9830fc7557c
{"User"=>"0WsAYW4zvAIKq9kvkba7hPjLg7Lsqbuh", "CreatedAt"=>"2020-04-13T23:33:58.4127583Z"}
...
MD5 (cookies.txt) = 0eb4c50b0a28563df35574bc5674a11a
{"User"=>"oP6+kfZDu6MitpHE007d0Pz+7265EWEh", "CreatedAt"=>"2020-04-13T23:33:58.4127583Z"}
...

Context

While investigating other issues related to traffic and redirect loops, I was led astray by the surprising frequency of these Refresh messages, especially frequent & continual Refreshes for the same user that were well after the --cookie-refresh parameter.

Your Environment

We're using oauth2-proxy as a delegated authentication endpoint for ingress-nginx in kubernetes. However, the same issue reproduces outside that environment.

bug help wanted Stale

opened by YenTheFirst 43

Use the raw url path when proxying upstream requests
This way escaped char's like /%2F/ will still work instead of returning 301. The proxy should ideally touch the request as little as possible / needed.

Description

Adds a new configuration flag to enable passing of the raw path to upstreams

Motivation and Context

https://github.com/oauth2-proxy/oauth2-proxy/issues/844

How Has This Been Tested?

a couple of new tests and running in our production setup for ~6month now.

Checklist:

[X] My change requires a change to the documentation or CHANGELOG.

[X] I have updated the documentation/CHANGELOG accordingly.

[X] I have created a feature (non-master) branch for my PR.
opened by FStelzer 41
Add support to ensure user belongs in required groups when using the OIDC provider
Description

By adding the ability to provide a group-claim when configuring the OICD provider, this enables the ability to perform validation to ensure that a user has a specific group claim present.

This comes in handy in our case when using Dex we can fetch all groups, and then in our individual oauth2-proxies handle fine grained group level checks.

Motivation and Context

Closes https://github.com/oauth2-proxy/oauth2-proxy/issues/600

How Has This Been Tested?

Unit tests have been added and manual testing performed within a local kind cluster, it should not affect existing behavior as this is an addition and by default group-claim=""which means that we do not perform any checks.

Checklist:

[X] My change requires a change to the documentation or CHANGELOG.

[X] I have updated the documentation/CHANGELOG accordingly.

[X] I have created a feature (non-master) branch for my PR.

Documentation has been updated, to show the new field, just unsure on the changelog is it manual or automatically generated?
enhancement
opened by stefansedich 38
Implement subdomain-based routing
This PR adds subdomain-based routing.

Description

This PR makes it possible to route based on domain name in addition to by path, for example:

upstreams = [ http://default-upstream:8082/ delta|http://delta-service:8083/ echo|http://echo-service:8080/ echo|http://echo-service-api:8080/api/ ] cookie_domain = ".mydomain.com"

With this new config it's possible to route https://delta.mydomain.com/, https://echo.mydomain.com/ as well as https://echo.mydomain.com/api/ differently.

Motivation and Context

Sometimes it is desirable to route not only based on the path, but also on the subdomain. This allows the use of the same oauth2 callback URL and oauth2_proxy for multiple sites in the same domain.

How Has This Been Tested?

We tested this patch in our production domain. A modified version (based on the bitly/google-oauth-proxy) has been running successfully for us for a few years now.

Checklist:

[X] My change requires a change to the documentation or CHANGELOG.

[X] I have updated the documentation/CHANGELOG accordingly.

[X] I have created a feature (non-master) branch for my PR.

enhancement Stale
opened by rustyx 36
extract email from id_token for azure provider
extract email from id_token, if present, for azure provider

Description

this change fixes a bug when --resource is specified with non-Graph api and the access token destined to --resource is used to call Graph api

Motivation and Context

Fixes #913

How Has This Been Tested?

unit test and end to end validation

Checklist:

[x] My change requires a change to the documentation or CHANGELOG.

[ ] I have updated the documentation/CHANGELOG accordingly.

[x] I have created a feature (non-master) branch for my PR.
opened by weinong 34
Proposal: Deprecation of cookie splitting
Currently (v5.1.0), when a session is encrypted and the size of the session exceeds 4kb, there is logic within the proxy to split the cookie. This is required so that we do not exceed the maximum size of a cookie. As far as I'm aware this is guaranteed to happen when using Azure because of the size of the ID Tokens they generate, and it has caused a number of issues in the past.

There is an alternate solution however. By using redis as a session store (potentially we need to implement other alternate session stores? sqlite could be a good option for small deployments, dynamo or other cloud dbs for scaled deployments? Kubernetes CRDs for those running on Kubernetes), the larger sessions can be stored server side and the client need only keep track of a session ticket encrypted within the cookie, which is typically much smaller.

There are other additional benefits of server side session storage as well, eg you are less likely to have authentication fail during refreshes as the session can not go stale in a cookie.

My proposal would be that we remove this behaviour from the proxy in a couple of steps:

First, introduce a warning that the cookie is being split

Secondly either remove the splitting altogether or feature gate it behind a flag

If feature gated, make a note that this is unsupported behaviour and that support will not be provided when using the feature

I would like to gather feedback from the community on this idea before we make a breaking change, so please post comments below

Related issues:

#458

#350

#138

#69

#29

#388

#266

enhancement help wanted high-priority breaking
opened by JoelSpeed 33

Describe ingress setup for dynamic callback urls

Hi @JoelSpeed,

I'm facing the same issue described in #12 and have been trying to get the described setup working but the redirect to the downstream ingress doesn't work. Do you have some more documentation on how this exactly should look like?

Here's what I did:

Install the chart

helm install stable/oauth2-proxy --name login-oauth2-proxy \
    --namespace xyz \
    --set config.clientID="clientId" \
    --set config.clientSecret="clientSecret" \
    --set config.cookieSecret="cookieSecret" \
    --set extraArgs.provider="azure" \
    --set extraArgs.azure-tenant="tenantId" \
    --set extraArgs.whitelist-domain=".mydomain.com" \
    --tls

Create the ingress for oauth2_proxy:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: login-ingress-oauth2
  namespace: xyz
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  rules:
  - host: login.mydomain.com
    http:
      paths:
      - backend:
          serviceName: login-oauth2-proxy
          servicePort: 80
        path: /oauth2
  tls:
  - hosts:
    - login.mydomain.com

By now browsing https://login.mydomain.com/oauth2/sign_in works as expected.

Configure downstream ingress to use the oauth2_proxy:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myservice-ingress
  namespace: xyz
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/auth-url: "https://login.mydomain.com/oauth2/auth"
    nginx.ingress.kubernetes.io/auth-signin: "https://login.mydomain.com/oauth2/start?rd=service.cdhamap.com"
spec:
  rules:
  - host: service.cdhamap.com
    http:
      paths:
      - backend:
          serviceName: service-backend
          servicePort: 1337
        path: /
  tls:
  - hosts:
    - service.cdhamap.com

Browsing https://service.mydomain.com now correctly redirects me to the Microsoft Login but still shows https://login.mydomain.com/oauth2/callback as the redirect_uri which then after successful authentication falls back to default-backend.

What am I missing?

Thanks a lot!!

Stale

opened by elsesiy 33

More fields in `/oauth2/userinfo`
Expected Behavior

The /oauth2/userinfo endpoint returns the email address (and I think one other field). It would be nice to have this configurable in a way to return more data from the underlying token in a configurable way.

Current Behavior

The /oauth2/userinfo endpoint does not return much info apart from email.

Possible Solution

Make it configurable which fields from the token are passed into this endpoint.

Context

The use case for this would be front-ends where you want custom fields out of the token to be readable by JS. I use Louketo at the moment to protect some front-ends and would like to switch. One of the things I do is read the user's theme settings from their token (theme depends on the group they are in, in keycloak). I do this via a similar endpoint in Louketo where the entire decoded token is available. That might be a bit overkill, but having the ability to add fields to the userinfo endpoint would be useful.

Your Environment

Version used: v6.1.1

enhancement Stale
opened by gboor 31

Unable to set `username` when using Keycloak provider

I am setting up the following environment:

User | Nginx | Oauth2 <---> Keycloak | Grafana

This is the nginx configuration (following the example here):

server {
        listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;

        ssl_certificate /etc/nginx/ssl/nginx_vas_cz.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx_vas_cz.key;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }

        location /grafana/ {
                auth_request /oauth2/auth;
                error_page 401 = /oauth2/sign_in;

                # pass information about the user to the backend
                # requires oauth2-proxy to run with --set-xauthrequest flag
                auth_request_set $user $upstream_http_x_auth_request_user;
                auth_request_set $email $upstream_http_x_auth_request_email;
                auth_request_set $name $upstream_http_x_auth_request_preferred_username;
                proxy_set_header X-Username $user;
                proxy_set_header X-Email $email;
                proxy_set_header X-Name $name;

                proxy_pass http://grafana.vas.cz:3000/;
        }

        location /oauth2/ {
                proxy_pass http://oauth.vas.cz:4180;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Scheme $scheme;
                proxy_set_header X-Auth-Request-Redirect $request_uri;
        }

        location = /oauth2/auth {
                proxy_pass http://oauth.vas.cz:4180;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Scheme $scheme;
                # nginx auth_request includes headers but not body
                proxy_set_header Content-Length "";
                proxy_pass_request_body off;
        }
}

When I access https://nginx.vas.cz/grafana/, I get redirected to Keycloak login page, perform the login and then sent to Grafana, but without login.

If I change proxy_set_header X-Username $user; to proxy_set_header X-Username "<new user>"; (in other words I force the login user), the user gets created in Grafana with the following profile:

Name = <my email>
Email = <my email>
Username = <new user>

which tells me that everything is correctly configured (or I will not be able to login).

According to your documentation, the --set-xauthorequest option should enable the following headers: X-Auth-Request-User, X-Auth-Request-Email and X-Auth-Request-Preferred-Username, so apparently the X-Auth-Request-User is not resolved.

This is the authentication result I get in the oauth2-proxy log:

[2020/07/17 14:10:45] [requests.go:26] 200 GET http://keycloak.vas.cz:8080/auth/realms/tutorial01/protocol/openid-connect/userinfo {"sub":"f4bb8645-f16f-4237-a9e4-58dea9e046f7","email_verified":false,"name":"<name surname>","groups":["/admin"],"preferred_username":"<username>","given_name":"<name>","family_name":"<surname>","email":"<email>"}
192.168.56.5:57446 - <email> [2020/07/17 14:10:45] [AuthSuccess] Authenticated via OAuth2: %!s(PANIC=String method: runtime error: invalid memory address or nil pointer dereference)
[2020/07/17 14:10:45] [cookies.go:48] Warning: request host "nginx.vas.cz" did not match any of the specific cookie domains of ""

Keycloak is returning all the expected information from the user.

So, I tried a different test:

proxy_set_header X-Username "newuser";
proxy_set_header X-User-Email "email";
proxy_set_header X-User-Name "name";

and again the user gets created with

Name = "name"
Email = "email"
Username = "newuser"

Putting together the two tests:

$upstream_http_x_auth_request_email = <email in KC> OK

$upstream_http_x_auth_request_preferred_username = <email in KC>, which is wrong. Note how the "preferred_username" in KC reply is the "", not the email.

$upstream_http_x_auth_request_user is resolved to <email in KC> too. To verify this, I made the following test:

proxy_set_header X-Username "new_user";
proxy_set_header X-User-Email $email;
proxy_set_header X-User-Name $user;

and I got the user created with "Name" = "<email>".

This is my configuration for oauth2:

./oauth2/oauth2-proxy --provider=keycloak --client-id=oauth2 --client-secret=<secret> --login-url="http://keycloak.vas.cz:8080/auth/realms/tutorial01/protocol/openid-connect/auth" --redeem-url="http://keycloak.vas.cz:8080/auth/realms/tutorial01/protocol/openid-connect/token" --validate-url="http://keycloak.vas.cz:8080/auth/realms/tutorial01/protocol/openid-connect/userinfo" --keycloak-group=/admin --email-domain=* --cookie-secret=<secret> --http-address="http://192.168.56.8:4180" --scope=openid --set-xauthrequest=true

Expected Behavior

$upstream_http_x_auth_request_email = <email in KC> OK

$upstream_http_x_auth_request_preferred_username = <preferred username in KC> i.e. the shortname uid

$upstream_http_x_auth_request_user = <name surname> i.e. the "name" filed in KC response.

Current Behavior

Everything is apparently mapped to the user's email

Update: apparently, after further investigation, it seems that $upstream_http_x_auth_request_preferred_username and $upstream_http_x_auth_request_user are not returned at all.

Possible Solution

Steps to Reproduce (for bugs)

The above should be enough. Let me know if you need something more.

Context

I'm setting authentication behind a authorization proxy.

Your Environment

Version used: oauth2-proxy v6.0.0 (built with go1.14.2)

bug help wanted Stale

opened by aizzi 30

CVE fixes pertaining to text, crypto and prometheus
Description

Updated go.mod to bump up the text, crypto and promtheus-client go-lang.

Motivation and Context

These changes corrected the below list of CVEs as discussed in #1641 List of CVE: https://github.com/advisories/GHSA-cg3q-j54f-5p7p https://github.com/advisories/GHSA-8c26-wmh5-6g9v CVE-2021-38561

How Has This Been Tested?

Ran go test to verify the behavior and also ran through the grype and trivy scan to ensure no new vulnerabilities popped up.

Checklist:

[X] My change requires a change to the documentation or CHANGELOG.

[x] I have updated the documentation/CHANGELOG accordingly.

[X] I have created a feature (non-master) branch for my PR.
opened by rkkris75 0
Corrects request endpoint
Description

The endpoint is repos, not repo, documentation

Motivation and Context

Don't see an open issue for this, but it is indeed broken, if checking if a user has a repo, the proxy just returns 500

How Has This Been Tested?

I double checked the endpoint is correct by making requests to it, if you really want me to test further I can, but I don't see the need

Checklist:

[x] My change requires a change to the documentation or CHANGELOG.

[x] I have updated the documentation/CHANGELOG accordingly.

[x] I have created a feature (non-master) branch for my PR.
opened by adamsong 0
Change error type for redirect parsing errors
Description

This changes the error type returned when the proxy fails to parse the redirect target to be a 400 error instead of a 500 error.

As far as I can tell, the only way that this can fail is a failure to parse the properties of the request to identity the redirect target. This indicates that the user has sent a malformed request, and so should result in a 400 rather than a 500.

I've added a test to exercise this, based on a real work example.

Motivation and Context

Closes #1516

How Has This Been Tested?

Added a unit test for this

Tested locally by:

Building a local docker image

Updating the local environment config to set skip_provider_button="true"

Updating the docker-compose config to use the local docker image

Running make local-env-up

Running curl 'localhost:4180/?q=%va' -v

Using the default image in the local env, this returns a 500. Using the locally built image with this change, this returns a 400.

Checklist:

[x] My change requires a change to the documentation or CHANGELOG.

[x] I have updated the documentation/CHANGELOG accordingly.

[x] I have created a feature (non-master) branch for my PR.
opened by Niksko 0
Go vet issue
go vet ./... returns an issue when running

Expected Behavior

Pass go vet ./...

go vet ./...

github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests

pkg/requests/result.go:18:2: method UnmarshalJSON() (*simplejson.Json, error) should have signature UnmarshalJSON([]byte) error pkg/requests/result.go:72:18: method UnmarshalJSON() (*simplejson.Json, error) should have signature UnmarshalJSON([]byte) error

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

go vet ./...

github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests

pkg/requests/result.go:18:2: method UnmarshalJSON() (*simplejson.Json, error) should have signature UnmarshalJSON([]byte) error pkg/requests/result.go:72:18: method UnmarshalJSON() (*simplejson.Json, error) should have signature UnmarshalJSON([]byte) error 3.  4.  5. 

Context

Your Environment

Version used:

go 1.1.7 1.18
opened by joeybdub 0
[Question] Cookie Expiration Behaviour
Greetings! Sorry if it is wrong place to post a questions. While using cookies as a storage backend:

Does --cookie-expire only affects standard way of cookies expiration time?

Does OAuth2 Proxy stores expiration timestamp in the cookie body itself (besides the standard way)?

Is cookie expiration date signed/checksummed anyhow in the cookie body?

The questions I'm asking are for understanding whether I can leave 24h expiration time set in the config, take a cookie from my browser and use it in the third-party automation testing service and set the cookie to expire never there? The testing service needs a cookie to bypass OAuth Proxy with no expiration date. But all the rest (users, etc) need the limited timeframe.

The general question: can I safely change the expiration date on client side without consequences? Thank you.
opened by dmitriypavlov 0

Releases(v7.2.1)

v7.2.1(Dec 22, 2021)
Release Highlights

This release contains a number of bug and security fixes, but has no feature additions.

Important Notes

N/A

Breaking Changes

N/A

Changes since v7.2.0

#1247 Use upn claim consistently in ADFSProvider (@NickMeves)

#1447 Fix docker build/push issues found during last release (@JoelSpeed)

#1433 Let authentication fail when session validation fails (@stippi2)

#1445 Fix docker container multi arch build issue by passing GOARCH details to make build (@jkandasa)

#1444 Update LinkedIn provider validate URL (@jkandasa)

#1471 Update alpine to 3.15 (@AlexanderBabel)

#1479 Update to Go 1.17 (@polarctos)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v7.2.1.darwin-amd64.tar.gz(9.71 MB)
oauth2-proxy-v7.2.1.darwin-amd64-sha256sum.txt(112 bytes)
oauth2-proxy-v7.2.1.freebsd-amd64.tar.gz(9.85 MB)
oauth2-proxy-v7.2.1.freebsd-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v7.2.1.linux-amd64.tar.gz(9.87 MB)
oauth2-proxy-v7.2.1.linux-amd64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.2.1.linux-arm64.tar.gz(9.23 MB)
oauth2-proxy-v7.2.1.linux-arm64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.2.1.linux-armv6.tar.gz(9.13 MB)
oauth2-proxy-v7.2.1.linux-armv6-sha256sum.txt(111 bytes)
oauth2-proxy-v7.2.1.windows-amd64.tar.gz(9.97 MB)
v7.2.0(Oct 23, 2021)
Release Highlights

LinkedIn provider updated to support the new v2 API

Introduce --force-json-errors to allow OAuth2 Proxy to protect JSON APIs and disable authentication redirection

Add URL rewrite capabilities to the upstream proxy

New ADFS provider integration

New Keycloak OIDC provider integration

Introduced Multiarch Docker images on the standard image tags

Important Notes

#1086 The extra validation to protect invalid session deserialization from v6.0.0 (only) has been removed to improve performance. If you are on v6.0.0, either upgrade to a version before this first and allow legacy sessions to expire gracefully or change your cookie-secret value and force all sessions to reauthenticate.

#1210 A new keycloak-oidc provider has been added with support for role based authentication. The existing keycloak auth provider will eventually be deprecated and removed. Please switch to the new provider keycloak-oidc.

Breaking Changes

#1239 GitLab groups sent in the X-Forwarded-Groups header to the upstream server will no longer be prefixed with group:

Changes since v7.1.3

#1391 Improve build times by sharing cache and allowing platform selection (@JoelSpeed)

#1404 Improve error message when no cookie is found (@JoelSpeed)

#1315 linkedin: Update provider to v2 (@wuurrd)

#1348 Using the native httputil proxy code for websockets rather than yhat/wsutil to properly handle HTTP-level failures (@thetrime)

#1379 Fix the manual sign in with --htpasswd-user-group switch (@janrotter)

#1375 Added --force-json-errors flag (@bancek)

#1337 Changing user field type to text when using htpasswd (@pburgisser)

#1239 Base GitLab provider implementation on OIDCProvider (@NickMeves)

#1276 Update crypto and switched to new github.com/golang-jwt/jwt (@JVecsei)

#1264 Update go-oidc to v3 (@NickMeves)

#1233 Extend email-domain validation with sub-domain capability (@morarucostel)

#1060 Implement RewriteTarget to allow requests to be rewritten before proxying to upstream servers (@JoelSpeed)

#1086 Refresh sessions before token expiration if configured (@NickMeves)

#1226 Move app redirection logic to its own package (@JoelSpeed)

#1128 Use gorilla mux for OAuth Proxy routing (@JoelSpeed)

#1238 Added ADFS provider (@samirachoadi)

#1227 Fix Refresh Session not working for multiple cookies (@rishi1111)

#1063 Add Redis lock feature to lock persistent sessions (@Bibob7)

#1108 Add alternative ways to generate cookie secrets to docs (@JoelSpeed)

#1142 Add pagewriter to upstream proxy (@JoelSpeed)

#1181 Fix incorrect cfg name in show-debug-on-error flag (@iTaybb)

#1207 Fix URI fragment handling on sign-in page, regression introduced in 7.1.0 (@tarvip)

#1210 New Keycloak OIDC Provider (@pb82)

#1244 Update Alpine image version to 3.14 (@ahovgaard)

#1317 Fix incorrect </form> tag on the sing_in page when not using a custom template (@jord1e)

#1330 Allow specifying URL as input for custom sign in logo (@MaikuMori)

#1357 Fix unsafe access to session variable (@harzallah)

#997 Allow passing the raw url path when proxying upstream requests - e.g. /%2F/ (@FStelzer)

#1147 Multiarch support for docker image (@goshlanguage)

#1296 Fixed panic when connecting to Redis with TLS (@mstrzele)

#1403 Improve TLS handling for Redis to support non-standalone mode with TLS (@wadahiro)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v7.2.0.darwin-amd64.tar.gz(9.71 MB)
oauth2-proxy-v7.2.0.darwin-amd64-sha256sum.txt(112 bytes)
oauth2-proxy-v7.2.0.freebsd-amd64.tar.gz(9.85 MB)
oauth2-proxy-v7.2.0.freebsd-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v7.2.0.linux-amd64.tar.gz(9.87 MB)
oauth2-proxy-v7.2.0.linux-amd64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.2.0.linux-arm64.tar.gz(9.23 MB)
oauth2-proxy-v7.2.0.linux-arm64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.2.0.linux-armv6.tar.gz(9.13 MB)
oauth2-proxy-v7.2.0.linux-armv6-sha256sum.txt(111 bytes)
oauth2-proxy-v7.2.0.windows-amd64.tar.gz(9.97 MB)
oauth2-proxy-v7.2.0.windows-amd64-sha256sum.txt(113 bytes)
v7.1.3(Apr 28, 2021)
Release Highlights

Fixed typos in the metrics server TLS config names

Important Notes

#967 --insecure-oidc-skip-nonce is currently true by default in case any existing OIDC Identity Providers don't support it. The default will switch to false in a future version.

Breaking Changes

Changes since v7.1.2

#1168 Fix incorrect cfg name in Metrics TLS flags (@NickMeves)

#967 Set & verify a nonce with OIDC providers (@NickMeves)

#1136 Add clock package for better time mocking in tests (@NickMeves)

#947 Multiple provider ingestion and validation in alpha options (first stage: #926) (@yanasega)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v7.1.3.darwin-amd64-sha256sum.txt(112 bytes)
oauth2-proxy-v7.1.3.darwin-amd64.tar.gz(9.61 MB)
oauth2-proxy-v7.1.3.freebsd-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v7.1.3.freebsd-amd64.tar.gz(9.75 MB)
oauth2-proxy-v7.1.3.linux-amd64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.3.linux-amd64.tar.gz(9.77 MB)
oauth2-proxy-v7.1.3.linux-arm64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.3.linux-arm64.tar.gz(9.15 MB)
oauth2-proxy-v7.1.3.linux-armv6-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.3.linux-armv6.tar.gz(9.05 MB)
oauth2-proxy-v7.1.3.windows-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v7.1.3.windows-amd64.tar.gz(9.84 MB)
v7.1.2(Apr 2, 2021)
Release Highlights

Metrics bind address initialisation was broken in config files

Important Notes

N/A

Breaking Changes

N/A

Changes since v7.1.1

#1129 Rewrite OpenRedirect tests in ginkgo (@JoelSpeed)

#1127 Remove unused fields from OAuthProxy (@JoelSpeed)

#1141 Fix metrics server bind address initialization (@oliver006)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v7.1.2.darwin-amd64.tar.gz(9.58 MB)
oauth2-proxy-v7.1.2.darwin-amd64-sha256sum.txt(112 bytes)
oauth2-proxy-v7.1.2.freebsd-amd64.tar.gz(9.72 MB)
oauth2-proxy-v7.1.2.freebsd-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v7.1.2.linux-amd64.tar.gz(9.74 MB)
oauth2-proxy-v7.1.2.linux-amd64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.2.linux-arm64.tar.gz(9.12 MB)
oauth2-proxy-v7.1.2.linux-arm64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.2.linux-armv6.tar.gz(9.01 MB)
oauth2-proxy-v7.1.2.linux-armv6-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.2.windows-amd64.tar.gz(9.80 MB)
oauth2-proxy-v7.1.2.windows-amd64-sha256sum.txt(113 bytes)
v7.1.1(Mar 29, 2021)
Release Highlights

The metrics server could not be started in v7.1.0, this is now fixed.

Important Notes

N/A

Breaking Changes

N/A

Changes since v7.1.0

#1133 Metrics server should be constructed with secure bind address for TLS (@JoelSpeed)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v7.1.1.darwin-amd64.tar.gz(9.58 MB)
oauth2-proxy-v7.1.1.darwin-amd64-sha256sum.txt(112 bytes)
oauth2-proxy-v7.1.1.freebsd-amd64.tar.gz(9.72 MB)
oauth2-proxy-v7.1.1.freebsd-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v7.1.1.linux-amd64.tar.gz(9.74 MB)
oauth2-proxy-v7.1.1.linux-amd64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.1.linux-arm64.tar.gz(9.12 MB)
oauth2-proxy-v7.1.1.linux-arm64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.1.linux-armv6.tar.gz(9.01 MB)
oauth2-proxy-v7.1.1.linux-armv6-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.1.windows-amd64.tar.gz(9.80 MB)
oauth2-proxy-v7.1.1.windows-amd64-sha256sum.txt(113 bytes)
v7.1.0(Mar 25, 2021)
Release Highlights

New improved design for sign in and error pages based on bulma framework

Refactored templates loading

robots.txt, sign_in.html and error.html can now be provided individually in --custom-templates-dir

If any of the above are not provided, defaults are used

Defaults templates be found in pkg/app/pagewriter

Introduction of basic prometheus metrics

Introduction of Traefik based local testing/example environment

Support for request IDs to allow request co-ordination of log lines

Important Notes

GHSA-652x-m2gr-hppm GitLab group authorization stopped working in v7.0.0, the functionality has now been restored, please see the linked advisory for details

#1103 Upstream request signatures via --signature-key is deprecated. Support will be removed completely in v8.0.0.

1087 The default logging templates have been updated to include {{.RequestID}}

#1117 The --gcp-healthchecks option is now deprecated. It will be removed in a future release.

To migrate, you can change your application health checks for OAuth2 Proxy to point to the --ping-path value.

You can also migrate the user agent based health check using the --ping-user-agent option. Set it to GoogleHC/1.0 to allow health checks on the path / from the Google health checker.

Breaking Changes

N/A

Changes since v7.0.1

GHSA-652x-m2gr-hppm --gitlab-group GitLab Group Authorization config flag stopped working in v7.0.0 (@NickMeves, @papey)

#1113 Panic with GitLab project repository auth (@piersharding)

#1116 Reinstate preferEmailToUser behaviour for basic auth sessions (@JoelSpeed)

#1115 Fix upstream proxy appending ? to requests (@JoelSpeed)

#1117 Deprecate GCP HealthCheck option (@JoelSpeed)

#1104 Allow custom robots text pages (@JoelSpeed)

#1045 Ensure redirect URI always has a scheme (@JoelSpeed)

#1103 Deprecate upstream request signatures (@NickMeves)

#1087 Support Request ID in logging (@NickMeves)

#914 Extract email from id_token for azure provider when oidc is configured (@weinong)

#1047 Refactor HTTP Server and add ServerGroup to handle graceful shutdown of multiple servers (@JoelSpeed)

#1070 Refactor logging middleware to middleware package (@NickMeves)

#1064 Add support for setting groups on session when using basic auth (@stefansedich)

#1056 Add option for custom logos on the sign in page (@JoelSpeed)

#1054 Update to Go 1.16 (@JoelSpeed)

#1052 Update golangci-lint to latest version (v1.36.0) (@JoelSpeed)

#1043 Refactor Sign In Page rendering and capture all page rendering code in pagewriter package (@JoelSpeed)

#1029 Refactor error page rendering and allow debug messages on error (@JoelSpeed)

#1028 Refactor templates, update theme and provide styled error pages (@JoelSpeed)

#1039 Ensure errors in tests are logged to the GinkgoWriter (@JoelSpeed)

#980 Add Prometheus metrics endpoint (@neuralsandwich)

#1023 Update docs on Traefik ForwardAuth support without the use of Traefik 'errors' middleware (@pcneo83)

#1091 Add an example with Traefik (configuration without Traefik 'errors' middleware) (@fcollonval)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v7.1.0.darwin-amd64-sha256sum.txt(112 bytes)
oauth2-proxy-v7.1.0.darwin-amd64.tar.gz(9.56 MB)
oauth2-proxy-v7.1.0.freebsd-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v7.1.0.freebsd-amd64.tar.gz(9.70 MB)
oauth2-proxy-v7.1.0.linux-amd64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.0.linux-amd64.tar.gz(9.72 MB)
oauth2-proxy-v7.1.0.linux-arm64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.0.linux-arm64.tar.gz(9.11 MB)
oauth2-proxy-v7.1.0.linux-armv6-sha256sum.txt(111 bytes)
oauth2-proxy-v7.1.0.linux-armv6.tar.gz(9.01 MB)
oauth2-proxy-v7.1.0.windows-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v7.1.0.windows-amd64.tar.gz(9.79 MB)
v7.0.1(Feb 10, 2021)
Release Highlights

Fixed a bug that meant that flag ordering mattered

Fixed a bug where response headers for groups were not being flattened

Important Notes

N/A

Breaking Changes

N/A

Changes since v7.0.0

#1020 Flatten array-based response headers (@NickMeves)

#1026 Ensure config flags get parsed correctly when other flags precede them (@JoelSpeed)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v7.0.1.darwin-amd64.tar.gz(10.40 MB)
oauth2-proxy-v7.0.1.darwin-amd64-sha256sum.txt(112 bytes)
oauth2-proxy-v7.0.1.freebsd-amd64.tar.gz(10.51 MB)
oauth2-proxy-v7.0.1.freebsd-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v7.0.1.linux-amd64.tar.gz(10.54 MB)
oauth2-proxy-v7.0.1.linux-amd64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.0.1.linux-arm64.tar.gz(9.84 MB)
oauth2-proxy-v7.0.1.linux-arm64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.0.1.linux-armv6.tar.gz(9.67 MB)
oauth2-proxy-v7.0.1.linux-armv6-sha256sum.txt(111 bytes)
oauth2-proxy-v7.0.1.windows-amd64.tar.gz(10.45 MB)
oauth2-proxy-v7.0.1.windows-amd64-sha256sum.txt(113 bytes)
v7.0.0(Feb 1, 2021)
Release Highlights

Major internal improvements to provider interfaces

Added group authorization support

Improved support for external auth for Traefik

Introduced alpha configuration format to allow users to trial new configuration format and alpha features

GitLab provider now supports restricting to members of a project

Keycloak provider now supports restricting users to members of a set of groups

(Alpha) Flexible header configuration allowing user defined mapping of session claims to header values

Important Notes

GHSA-4mf2-f3wh-gvf2 The whitelist domain feature has been updated to fix a vulnerability that was identified, please see the linked advisory for details

#964 Redirect URL generation will attempt secondary strategies in the priority chain if any fail the IsValidRedirect security check. Previously any failures fell back to /.

#953 Keycloak will now use --profile-url if set for the userinfo endpoint instead of --validate-url. --validate-url will still work for backwards compatibility.

#957 To use X-Forwarded-{Proto,Host,Uri} on redirect detection, --reverse-proxy must be true.

#936 --user-id-claim option is deprecated and replaced by --oidc-email-claim

#630 Gitlab projects needs a Gitlab application with the extra read_api enabled

#849 /oauth2/auth allowed_groups querystring parameter can be paired with the allowed-groups configuration option.

The allowed_groups querystring parameter can specify multiple comma delimited groups.

In this scenario, the user must have a group (from their multiple groups) present in both lists to not get a 401 or 403 response code.

Example:

OAuth2-Proxy globally sets the allowed_groups as engineering.

An application using Kubernetes ingress uses the /oauth2/auth endpoint with allowed_groups querystring set to backend.

A user must have a session with the groups ["engineering", "backend"] to pass authorization.

Another user with the groups ["engineering", "frontend"] would fail the querystring authorization portion.

#905 Existing sessions from v6.0.0 or earlier are no longer valid. They will trigger a reauthentication.

#826 skip-auth-strip-headers now applies to all requests, not just those where authentication would be skipped.

#797 The behavior of the Google provider Groups restriction changes with this

Either --google-group or the new --allowed-group will work for Google now (--google-group will be used if both are set)

Group membership lists will be passed to the backend with the X-Forwarded-Groups header

If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.

Previously, group membership was only checked on session creation and refresh.

#789 --skip-auth-route is (almost) backwards compatible with --skip-auth-regex

We are marking --skip-auth-regex as DEPRECATED and will remove it in the next major version.

If your regex contains an = and you want it for all methods, you will need to add a leading = (this is the area where --skip-auth-regex doesn't port perfectly)

#575 Sessions from v5.1.1 or earlier will no longer validate since they were not signed with SHA1.

Sessions from v6.0.0 or later had a graceful conversion to SHA256 that resulted in no reauthentication

Upgrading from v5.1.1 or earlier will result in a reauthentication

#616 Ensure you have configured oauth2-proxy to use the groups scope.

The user may be logged out initially as they may not currently have the groups claim however after going back through login process wil be authenticated.

#839 Enables complex data structures for group claim entries, which are output as Json by default.

Breaking Changes

#964 --reverse-proxy must be true to trust X-Forwarded-* headers as canonical. These are used throughout the application in redirect URLs, cookie domains and host logging logic. These are the headers:

X-Forwarded-Proto instead of req.URL.Scheme

X-Forwarded-Host instead of req.Host

X-Forwarded-Uri instead of req.URL.RequestURI()

#953 In config files & envvar configs, keycloak_group is now the plural keycloak_groups. Flag configs are still --keycloak-group but it can be passed multiple times.

#911 Specifying a non-existent provider will cause OAuth2-Proxy to fail on startup instead of defaulting to "google".

#797 Security changes to Google provider group authorization flow

If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.

Previously, group membership was only checked on session creation and refresh.

#722 When a Redis session store is configured, OAuth2-Proxy will fail to start up unless connection and health checks to Redis pass

#800 Fix import path for v7. The import path has changed to support the go get installation.

You can now go get github.com/oauth2-proxy/oauth2-proxy/v7 to get the latest v7 version of OAuth2 Proxy

Import paths for package are now under v7, eg github.com/oauth2-proxy/oauth2-proxy/v7/pkg/<module>

#753 A bug in the Azure provider prevented it from properly passing the configured protected --resource via the login url. If this option was used in the past, behavior will change with this release as it will affect the tokens returned by Azure. In the past, the tokens were always for https://graph.microsoft.com (the default) and will now be for the configured resource (if it exists, otherwise it will run into errors)

#754 The Azure provider now has token refresh functionality implemented. This means that there won't be any redirects in the browser anymore when tokens expire, but instead a token refresh is initiated in the background, which leads to new tokens being returned in the cookies.

Please note that --cookie-refresh must be 0 (the default) or equal to the token lifespan configured in Azure AD to make Azure token refresh reliable. Setting this value to 0 means that it relies on the provider implementation to decide if a refresh is required.

Changes since v6.1.1

GHSA-4mf2-f3wh-gvf2 Subdomain checking of whitelisted domains could allow unintended redirects (@NickMeves)

#1002 Use logger for logging refreshed session in azure and gitlab provider (@Bibob7)

#799 Use comma separated multiple values for header (@lilida)

#903 Add docs and generated reference for Alpha configuration (@JoelSpeed)

#995 Add Security Policy (@JoelSpeed)

#964 Require --reverse-proxy true to trust X-Forwareded-* type headers (@NickMeves)

#970 Fix joined cookie name for those containing underline in the suffix (@peppered)

#953 Migrate Keycloak to EnrichSession & support multiple groups for authorization (@NickMeves)

#957 Use X-Forwarded-{Proto,Host,Uri} on redirect as last resort (@linuxgemini)

#630 Add support for Gitlab project based authentication (@factorysh)

#907 Introduce alpha configuration option to enable testing of structured configuration (@JoelSpeed)

#938 Cleanup missed provider renaming refactor methods (@NickMeves)

#816 (via #936) Support non-list group claims (@loafoe)

#936 Refactor OIDC Provider and support groups from Profile URL (@NickMeves)

#869 Streamline provider interface method names and signatures (@NickMeves)

#849 Support group authorization on oauth2/auth endpoint via allowed_groups querystring (@NickMeves)

#925 Fix basic auth legacy header conversion (@JoelSpeed)

#916 Add AlphaOptions struct to prepare for alpha config loading (@JoelSpeed)

#923 Support TLS 1.3 (@aajisaka)

#918 Fix log header output (@JoelSpeed)

#911 Validate provider type on startup. (@arcivanov)

#906 Set up v6.1.x versioned documentation as default documentation (@JoelSpeed)

#905 Remove v5 legacy sessions support (@NickMeves)

#904 Set skip-auth-strip-headers to true by default (@NickMeves)

#826 Integrate new header injectors into project (@JoelSpeed)

#797 Create universal Authorization behavior across providers (@NickMeves)

#898 Migrate documentation to Docusaurus (@JoelSpeed)

#754 Azure token refresh (@codablock)

#850 Increase session fields in /oauth2/userinfo endpoint (@NickMeves)

#825 Fix code coverage reporting on GitHub actions(@JoelSpeed)

#796 Deprecate GetUserName & GetEmailAdress for EnrichSessionState (@NickMeves)

#705 Add generic Header injectors for upstream request and response headers (@JoelSpeed)

#753 Pass resource parameter in login url (@codablock)

#789 Add --skip-auth-route configuration option for METHOD=pathRegex based allowlists (@NickMeves)

#575 Stop accepting legacy SHA1 signed cookies (@NickMeves)

#722 Validate Redis configuration options at startup (@NickMeves)

#791 Remove GetPreferredUsername method from provider interface (@NickMeves)

#764 Document bcrypt encryption for htpasswd (and hide SHA) (@lentzi90)

#778 Use display-htpasswd-form flag

#616 Add support to ensure user belongs in required groups when using the OIDC provider (@stefansedich)

#800 Fix import path for v7 (@johejo)

#783 Update Go to 1.15 (@johejo)

#813 Fix build (@thiagocaiubi)

#801 Update go-redis/redis to v8 (@johejo)

#750 ci: Migrate to Github Actions (@shinebayar-g)

#829 Rename test directory to testdata (@johejo)

#819 Improve CI (@johejo)

#989 Adapt isAjax to support mimetype lists (@rassie)

#1013 Update alpine version to 3.13 (@nishanth-pinnapareddy)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v7.0.0.darwin-amd64.tar.gz(10.40 MB)
oauth2-proxy-v7.0.0.darwin-amd64-sha256sum.txt(112 bytes)
oauth2-proxy-v7.0.0.freebsd-amd64.tar.gz(10.51 MB)
oauth2-proxy-v7.0.0.freebsd-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v7.0.0.linux-amd64.tar.gz(10.53 MB)
oauth2-proxy-v7.0.0.linux-amd64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.0.0.linux-arm64.tar.gz(9.84 MB)
oauth2-proxy-v7.0.0.linux-arm64-sha256sum.txt(111 bytes)
oauth2-proxy-v7.0.0.linux-armv6.tar.gz(9.67 MB)
oauth2-proxy-v7.0.0.linux-armv6-sha256sum.txt(111 bytes)
oauth2-proxy-v7.0.0.windows-amd64.tar.gz(10.45 MB)
oauth2-proxy-v7.0.0.windows-amd64-sha256sum.txt(113 bytes)
v6.1.1(Aug 31, 2020)
Release Highlights

Fixed a bug which prevented static upstreams from being used

Fixed a bug which prevented file based upstreams from being used

Ensure that X-Forwarded-Host is respected consistently

Important Notes

N/A

Breaking

N/A

Changes since v6.1.0

#729 Use X-Forwarded-Host consistently when set (@NickMeves)

#746 Fix conversion of static responses in upstreams (@JoelSpeed)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v6.1.1.darwin-amd64.tar.gz(10.75 MB)
oauth2-proxy-v6.1.1.darwin-amd64-sha256sum.txt(112 bytes)
oauth2-proxy-v6.1.1.freebsd-amd64.tar.gz(10.87 MB)
oauth2-proxy-v6.1.1.freebsd-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v6.1.1.linux-amd64.tar.gz(10.88 MB)
oauth2-proxy-v6.1.1.linux-amd64-sha256sum.txt(111 bytes)
oauth2-proxy-v6.1.1.linux-arm64.tar.gz(10.18 MB)
oauth2-proxy-v6.1.1.linux-arm64-sha256sum.txt(111 bytes)
oauth2-proxy-v6.1.1.linux-armv6.tar.gz(10.09 MB)
oauth2-proxy-v6.1.1.linux-armv6-sha256sum.txt(111 bytes)
oauth2-proxy-v6.1.1.windows-amd64.tar.gz(10.69 MB)
oauth2-proxy-v6.1.1.windows-amd64-sha256sum.txt(113 bytes)
v6.1.0(Aug 27, 2020)
Release Highlights

Redis session stores now support authenticated connections

Error logging can now be separated from info logging by directing error logs to stderr

Added --session-cookie-minimal flag which helps prevent large session cookies

Improvements to force-https behaviour

Allow requests to skip authentication based on their source IP

Important Notes

#632 There is backwards compatibility to sessions from v5

Any unencrypted sessions from before v5 that only contained a Username & Email will trigger a reauthentication

Breaking Changes

N/A

Changes since v6.0.0

#742 Only log no cookie match if cookie domains specified (@JoelSpeed)

#562 Create generic Authorization Header constructor (@JoelSpeed)

#715 Ensure session times are not nil before printing them (@JoelSpeed)

#714 Support passwords with Redis session stores (@NickMeves)

#719 Add Gosec fixes to areas that are intermittently flagged on PRs (@NickMeves)

#718 Allow Logging to stdout with separate Error Log Channel

#690 Address GoSec security findings & remediate (@NickMeves)

#689 Fix finicky logging_handler_test from time drift (@NickMeves)

#700 Allow OIDC Bearer auth IDTokens to have empty email claim & profile URL (@NickMeves)

#699 Align persistence ginkgo tests with conventions (@NickMeves)

#696 Preserve query when building redirect

#561 Refactor provider URLs to package level vars (@JoelSpeed)

#682 Refactor persistent session store session ticket management (@NickMeves)

#688 Refactor session loading to make use of middleware pattern (@JoelSpeed)

#593 Integrate upstream package with OAuth2 Proxy (@JoelSpeed)

#687 Refactor HTPasswd Validator (@JoelSpeed)

#624 Allow stripping authentication headers from whitelisted requests with --skip-auth-strip-headers (@NickMeves)

#673 Add --session-cookie-minimal option to create session cookies with no tokens (@NickMeves)

#632 Reduce session size by encoding with MessagePack and using LZ4 compression (@NickMeves)

#675 Fix required ruby version and deprecated option for building docs (@mkontani)

#669 Reduce docker context to improve build times (@JoelSpeed)

#668 Use req.Host in --force-https when req.URL.Host is empty (@zucaritask)

#660 Use builder pattern to simplify requests to external endpoints (@JoelSpeed)

#591 Introduce upstream package with new reverse proxy implementation (@JoelSpeed)

#576 Separate Cookie validation out of main options validation (@JoelSpeed)

#656 Split long session cookies more precisely (@NickMeves)

#619 Improve Redirect to HTTPs behaviour (@JoelSpeed)

#654 Close client connections after each redis test (@JoelSpeed)

#542 Move SessionStore tests to independent package (@JoelSpeed)

#577 Move Cipher and Session Store initialisation out of Validation (@JoelSpeed)

#635 Support specifying alternative provider TLS trust source(s) (@k-wall)

#649 Resolve an issue where an empty healthcheck URL and ping-user-agent returns the healthcheck response (@jordancrawfordnz)

#662 Do not add Cache-Control header to response from auth only endpoint (@johejo)

#552 Implements --trusted-ip option to allow clients behind specified IPs or CIDR ranges to bypass authentication (@Izzette)

#733 dist.sh: remove go version from asset links (@syscll)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v6.1.0.linux-arm64-sha256sum.txt(111 bytes)
oauth2-proxy-v6.1.0.darwin-amd64.tar.gz(10.75 MB)
oauth2-proxy-v6.1.0.linux-armv6-sha256sum.txt(111 bytes)
oauth2-proxy-v6.1.0.windows-amd64.tar.gz(10.69 MB)
oauth2-proxy-v6.1.0.darwin-amd64-sha256sum.txt(112 bytes)
oauth2-proxy-v6.1.0.linux-amd64.tar.gz(10.88 MB)
oauth2-proxy-v6.1.0.windows-amd64-sha256sum.txt(113 bytes)
oauth2-proxy-v6.1.0.freebsd-amd64.tar.gz(10.87 MB)
oauth2-proxy-v6.1.0.linux-amd64-sha256sum.txt(111 bytes)
oauth2-proxy-v6.1.0.linux-arm64.tar.gz(10.18 MB)
oauth2-proxy-v6.1.0.freebsd-amd64-sha256sum.txt(113 bytes)
v6.0.0(Jun 27, 2020)
Release Highlights

Migrated to an independent GitHub organisation

Added local test environment examples using docker-compose and kind

Error pages will now be rendered when upstream connections fail

Non-Existent options in config files will now return errors on startup

Sessions are now always encrypted, independent of configuration

Important Notes

(Security) Fix for open redirect vulnerability.

More invalid redirects that lead to open-redirects were reported

An extensive test suite has been added to prevent future regressions

#453 Responses to endpoints with a proxy prefix will now return headers for preventing browser caching.

Breaking Changes

#464 Migration from Pusher to independent org may have introduced breaking changes for your environment.

See the changes listed below for PR #464 for full details

Binaries renamed from oauth2_proxy to oauth2-proxy

#440 Switch Azure AD Graph API to Microsoft Graph API

The Azure AD Graph API has been deprecated and is being replaced by the Microsoft Graph API. If your application relies on the access token being passed to it to access the Azure AD Graph API, you should migrate your application to use the Microsoft Graph API. Existing behaviour can be retained by setting -resource=https://graph.windows.net.

#484 Configuration loading has been replaced with Viper and PFlag

Flags now require a -- prefix before the option

Previously flags allowed either - or -- to prefix the option name

Eg -provider must now be --provider

#487 Switch flags to StringSlice instead of StringArray

Options that take multiple arguments now split strings on commas if present

Eg --foo=a,b,c,d would result in the values a, b, c and d instead of a single a,b,c,d value as before

#535 Drop support for pre v3.1 cookies

The encoding for session cookies was changed starting in v3.1.0, support for the previous encoding is now dropped

If you are upgrading from a version earlier than this, please upgrade via a version between v3.1.0 and v5.1.1

#537 Drop Fallback to Email if User not set

Previously, when a session was loaded, if the User was not set, it would be replaced by the Email. This behaviour was inconsistent as it required the session to be stored and then loaded to function properly.

This behaviour has now been removed and the User field will remain empty if it was not set when the session was saved.

In some scenarios X-Forwarded-User will now be empty. Use X-Forwarded-Email instead.

In some scenarios, this may break setting Basic Auth on upstream or responses. Use --prefer-email-to-user to restore falling back to the Email in these cases.

#556 Remove unintentional auto-padding of secrets that were too short

Previously, after cookie-secrets were opportunistically base64 decoded to raw bytes, they were padded to have a length divisible by 4.

This led to wrong sized secrets being valid AES lengths of 16, 24, or 32 bytes. Or it led to confusing errors reporting an invalid length of 20 or 28 when the user input cookie-secret was not that length.

Now we will only base64 decode a cookie-secret to raw bytes if it is 16, 24, or 32 bytes long. Otherwise, we will convert the direct cookie-secret to bytes without silent padding added.

#412/#559 Allow multiple cookie domains to be specified

Multiple cookie domains may now be configured. The longest domain that matches will be used.

The config options cookie_domain is now cookie_domains

The environment variable OAUTH2_PROXY_COOKIE_DOMAIN is now OAUTH2_PROXY_COOKIE_DOMAINS

#414 Always encrypt sessions regardless of config

Previously, sessions were encrypted only when certain options were configured. This lead to confusion and misconfiguration as it was not obvious when a session should be encrypted.

Cookie Secrets must now be 16, 24 or 32 bytes.

If you need to change your secret, this will force users to reauthenticate.

#548 Separate logging options out of main options structure

Fixes an inconsistency in the --exclude-logging-paths option by renaming it to --exclude-logging-option.

This flag may now be given multiple times as with other list options

This flag also accepts comma separated values

#639 Change how gitlab-group is parsed on options

Previously, the flag gitlab-group used comma seperated values, while the config option used space seperated values.

This fixes the config value to use slices internally.

The config option gitlab_group is now gitlab_groups

The environment variable OAUTH2_PROXY_GITLAB_GROUP is now OAUTH2_PROXY_GITLAB_GROUPS

Changes since v5.1.1

GHSA-5m6c-jp6f-2vcv New OpenRedirect cases have been found (@JoelSpeed)

#639 Change how gitlab-group is parsed on options (@linuxgemini)

#615 Kubernetes example based on Kind cluster and Nginx ingress (@EvgeniGordeev)

#596 Validate Bearer IDTokens in headers with correct provider/extra JWT Verifier (@NickMeves)

#620 Add HealthCheck middleware (@JoelSpeed)

#597 Don't log invalid redirect if redirect is empty (@JoelSpeed)

#604 Add Keycloak local testing environment (@EvgeniGordeev)

#539 Refactor encryption ciphers and add AES-GCM support (@NickMeves)

#601 Ensure decrypted user/email are valid UTF8 (@JoelSpeed)

#560 Fallback to UserInfo is User ID claim not present (@JoelSpeed)

#598 acr_values no longer sent to IdP when empty (@ScottGuymer)

#548 Separate logging options out of main options structure (@JoelSpeed)

#567 Allow health/ping request to be identified via User-Agent (@chkohner)

#536 Improvements to Session State code (@JoelSpeed)

#573 Properly parse redis urls for cluster and sentinel connections (@amnay-mo)

#574 render error page on 502 proxy status (@amnay-mo)

#559 Rename cookie-domain config to cookie-domains (@JoelSpeed)

#569 Updated autocompletion for -- long options. (@Izzette)

#489 Move Options and Validation to separate packages (@JoelSpeed)

#556 Remove unintentional auto-padding of secrets that were too short (@NickMeves)

#538 Refactor sessions/utils.go functionality to other areas (@NickMeves)

#503 Implements --real-client-ip-header option to select the header from which to obtain a proxied client's IP (@Izzette)

#529 Add local test environments for testing changes and new features (@JoelSpeed)

#537 Drop Fallback to Email if User not set (@JoelSpeed)

#535 Drop support for pre v3.1 cookies (@JoelSpeed)

#533 Set up code coverage within Travis for Code Climate (@JoelSpeed)

#514 Add basic string functions to templates (@n-i-x)

#524 Sign cookies with SHA256 (@NickMeves)

#515 Drop configure script in favour of native Makefile env and checks (@JoelSpeed)

#519 Support context in providers (@johejo)

#487 Switch flags to PFlag to remove StringArray (@JoelSpeed)

#484 Replace configuration loading with Viper (@JoelSpeed)

#499 Add -user-id-claim to support generic claims in addition to email (@holyjak)

#486 Add new linters (@johejo)

#440 Switch Azure AD Graph API to Microsoft Graph API (@johejo)

#453 Prevent browser caching during auth flow (@johejo)

#467 Allow OIDC issuer verification to be skipped (@chkohner)

#481 Update Okta docs (@trevorbox)

#474 Always log hasMember request error object (@jbielick)

#468 Implement graceful shutdown and propagate request context (@johejo)

#464 Migrate to oauth2-proxy/oauth2-proxy (@JoelSpeed)

Project renamed from pusher/oauth2_proxy to oauth2-proxy

Move Go import path from github.com/pusher/oauth2_proxy to github.com/oauth2-proxy/oauth2-proxy

Remove Pusher Cloud Team from CODEOWNERS

Release images moved to quay.io/oauth2-proxy/oauth2-proxy

Binaries renamed from oauth2_proxy to oauth2-proxy

#432 Update ruby dependencies for documentation (@theobarberbany)

#471 Add logging in case of invalid redirects (@gargath)

#462 Allow HTML in banner message (@eritikass)

#412 Allow multiple cookie domains to be specified (@edahlseng)

#413 Add -set-basic-auth param to set the Basic Authorization header for upstreams (@morarucostel)

#483 Warn users when session cookies are split (@JoelSpeed)

#488 Set-Basic-Auth should default to false (@JoelSpeed)

#494 Upstream websockets TLS certificate validation now depends on ssl-upstream-insecure-skip-verify (@yaroslavros)

#497 Restrict access using Github collaborators (@jsclayton)

#414 Always encrypt sessions regardless of config (@ti-mo)

#421 Allow logins by usernames even if they do not belong to the specified org and team or collaborators (@yyoshiki41)

Source code(tar.gz)
Source code(zip)
oauth2-proxy-v6.0.0.darwin-amd64.go1.14.2.tar.gz(9.79 MB)
oauth2-proxy-v6.0.0.darwin-amd64-sha256sum.txt(121 bytes)
oauth2-proxy-v6.0.0.freebsd-amd64.go1.14.2.tar.gz(9.89 MB)
oauth2-proxy-v6.0.0.freebsd-amd64-sha256sum.txt(122 bytes)
oauth2-proxy-v6.0.0.linux-amd64.go1.14.2.tar.gz(9.91 MB)
oauth2-proxy-v6.0.0.linux-amd64-sha256sum.txt(120 bytes)
oauth2-proxy-v6.0.0.linux-arm64.go1.14.2.tar.gz(9.28 MB)
oauth2-proxy-v6.0.0.linux-arm64-sha256sum.txt(120 bytes)
oauth2-proxy-v6.0.0.linux-armv6.go1.14.2.tar.gz(9.16 MB)
oauth2-proxy-v6.0.0.linux-armv6-sha256sum.txt(120 bytes)
oauth2-proxy-v6.0.0.windows-amd64.go1.14.2.tar.gz(9.72 MB)
oauth2-proxy-v6.0.0.windows-amd64-sha256sum.txt(122 bytes)
v5.1.1(May 6, 2020)
Security Release

Release Highlights

N/A

Important Notes

(Security) Fix for open redirect vulnerability.

A bad actor using encoded whitespace in redirect URIs can redirect a session to another domain

Breaking Changes

N/A

Changes since v5.1.0

GHSA-j7px-6hwj-hpjg Fix Open Redirect Vulnerability with encoded Whitespace characters (@JoelSpeed)

Special thanks to @rootxharsh @iamnoooob and @mik317 for bringing this issue to our attention
Source code(tar.gz)
Source code(zip)
oauth2_proxy-v5.1.1.darwin-amd64-sha256sum.txt(121 bytes)
oauth2_proxy-v5.1.1.darwin-amd64.go1.14.2.tar.gz(8.31 MB)
oauth2_proxy-v5.1.1.freebsd-amd64-sha256sum.txt(122 bytes)
oauth2_proxy-v5.1.1.freebsd-amd64.go1.14.2.tar.gz(8.33 MB)
oauth2_proxy-v5.1.1.linux-amd64-sha256sum.txt(120 bytes)
oauth2_proxy-v5.1.1.linux-amd64.go1.14.2.tar.gz(8.33 MB)
oauth2_proxy-v5.1.1.linux-arm64-sha256sum.txt(120 bytes)
oauth2_proxy-v5.1.1.linux-arm64.go1.14.2.tar.gz(7.81 MB)
oauth2_proxy-v5.1.1.linux-armv6-sha256sum.txt(120 bytes)
oauth2_proxy-v5.1.1.linux-armv6.go1.14.2.tar.gz(7.71 MB)
oauth2_proxy-v5.1.1.windows-amd64-sha256sum.txt(122 bytes)
oauth2_proxy-v5.1.1.windows-amd64.go1.14.2.tar.gz(8.13 MB)
v5.1.0(Mar 29, 2020)
Release Hightlights

Bump to Go 1.14

Reduced number of Google API requests for group validation

Support for Redis Cluster

Support for overriding hosts in hosts file

Important Notes

[#335] The session expiry for the OIDC provider is now taken from the Token Response (expires_in) rather than from the id_token (exp)

Breaking Changes

N/A

Changes since v5.0.0

#450 Fix http.Cookie SameSite is not copied (@johejo)

#445 Expose acr_values to all providers (@holyjak)

#419 Support Go 1.14, upgrade dependencies, upgrade golangci-lint to 1.23.6 (@johejo)

#444 Support prompt in addition to approval-prompt (@holyjak)

#435 Fix issue with group validation calling google directory API on every HTTP request (@ericofusco)

#400 Add nsswitch.conf to Docker image to allow hosts file to work (@luketainton)

#385 Use the Authorization header instead of access_token for refreshing GitHub Provider sessions (@ibuclaw)

#372 Allow fallback to secondary verified email address in GitHub provider (@dmnemec)

#335 OIDC Provider support for empty id_tokens in the access token refresh response (@howzat)

#363 Extension of Redis Session Store to Support Redis Cluster (@yan-dblinf)

#353 Fix login page fragment handling after soft reload on Firefox (@ffdybuster)

#355 Add Client Secret File support for providers that rotate client secret via file system (@pasha-r)

#401 Give the option to pass email address in the Basic auth header instead of upstream usernames. (@Spindel)

#405 The /sign_in page now honors the rd query parameter, fixing the redirect after a successful authentication (@ti-mo)

#434 Give the option to prefer email address in the username header when using the -pass-user-headers option (@jordancrawfordnz)

Source code(tar.gz)
Source code(zip)
oauth2_proxy-v5.1.0.darwin-amd64.go1.14.tar.gz(8.32 MB)
oauth2_proxy-v5.1.0.darwin-amd64-sha256sum.txt(119 bytes)
oauth2_proxy-v5.1.0.freebsd-amd64.go1.14.tar.gz(8.32 MB)
oauth2_proxy-v5.1.0.freebsd-amd64-sha256sum.txt(120 bytes)
oauth2_proxy-v5.1.0.linux-amd64.go1.14.tar.gz(8.33 MB)
oauth2_proxy-v5.1.0.linux-amd64-sha256sum.txt(118 bytes)
oauth2_proxy-v5.1.0.linux-arm64.go1.14.tar.gz(7.81 MB)
oauth2_proxy-v5.1.0.linux-arm64-sha256sum.txt(118 bytes)
oauth2_proxy-v5.1.0.linux-armv6.go1.14.tar.gz(7.71 MB)
oauth2_proxy-v5.1.0.linux-armv6-sha256sum.txt(118 bytes)
oauth2_proxy-v5.1.0.windows-amd64.go1.14.tar.gz(8.13 MB)
oauth2_proxy-v5.1.0.windows-amd64-sha256sum.txt(120 bytes)
v5.0.0(Jan 29, 2020)
Release Hightlights

Disabled CGO (binaries will work regardless og glibc/musl)

Allow whitelisted redirect ports

Nextcloud provider support added

DigitalOcean provider support added

Important Notes

(Security) Fix for open redirect vulnerability.. a bad actor using /\ in redirect URIs can redirect a session to another domain

Breaking Changes

#321 Add reverse proxy boolean flag to control whether headers like X-Real-Ip are accepted. This defaults to false. Usage behind a reverse proxy will require this flag to be set to avoid logging the reverse proxy IP address.

Changes since v4.1.0

#331 Add reverse proxy setting (@martin-css)

#365 Build with CGO=0 (@tomelliff)

#339 Add configuration for cookie 'SameSite' value. (@pgroudas)

#347 Update keycloak provider configuration documentation. (@sushiMix)

#325 dist.sh: use sha256sum (@syscll)

#179 Add Nextcloud provider (@Ramblurr)

#280 whitelisted redirect domains: add support for whitelisting specific ports or allowing wildcard ports (@kamaln7)

#351 Add DigitalOcean Auth provider (@kamaln7)

Source code(tar.gz)
Source code(zip)
oauth2_proxy-v5.0.0.darwin-amd64.go1.13.6.tar.gz(8.09 MB)
oauth2_proxy-v5.0.0.darwin-amd64-sha256sum.txt(121 bytes)
oauth2_proxy-v5.0.0.freebsd-amd64.go1.13.6.tar.gz(8.10 MB)
oauth2_proxy-v5.0.0.freebsd-amd64-sha256sum.txt(122 bytes)
oauth2_proxy-v5.0.0.linux-amd64.go1.13.6.tar.gz(8.10 MB)
oauth2_proxy-v5.0.0.linux-amd64-sha256sum.txt(120 bytes)
oauth2_proxy-v5.0.0.linux-arm64.go1.13.6.tar.gz(7.56 MB)
oauth2_proxy-v5.0.0.linux-arm64-sha256sum.txt(120 bytes)
oauth2_proxy-v5.0.0.linux-armv6.go1.13.6.tar.gz(7.47 MB)
oauth2_proxy-v5.0.0.linux-armv6-sha256sum.txt(120 bytes)
oauth2_proxy-v5.0.0.windows-amd64.go1.13.6.tar.gz(7.93 MB)
oauth2_proxy-v5.0.0.windows-amd64-sha256sum.txt(122 bytes)
v4.1.0(Dec 10, 2019)
Release Highlights

Added Keycloak provider

Build on Go 1.13

Upgrade Docker image to use Debian Buster

Added support for FreeBSD builds

Added new logo

Added support for GitHub teams

Important Notes

N/A

Breaking Changes

N/A

Changes since v4.0.0

#292 Added bash >= 4.0 dependency to configure script (@jmfrank63)

#227 Add Keycloak provider (@Ofinka)

#259 Redirect to HTTPS (@jmickey)

#273 Support Go 1.13 (@dio)

#275 docker: build from debian buster (@syscll)

#258 Add IDToken for Azure provider (@leyshon)

This PR adds the IDToken into the session for the Azure provider allowing requests to a backend to be identified as a specific user. As a consequence, if you are using a cookie to store the session the cookie will now exceed the 4kb size limit and be split into multiple cookies. This can cause problems when using nginx as a proxy, resulting in no cookie being passed at all. Either increase the proxy_buffer_size in nginx or implement the redis session storage (see https://pusher.github.io/oauth2_proxy/configuration#redis-storage)

#286 Requests.go updated with useful error messages (@biotom)

#274 Supports many github teams with api pagination support (@toshi-miura, @apratina)

#302 Rewrite dist script (@syscll)

#304 Add new Logo! :tada: (@JoelSpeed)

#300 Added userinfo endpoint (@kbabuadze)

#309 Added support for custom CA when connecting to Redis cache (@lleszczu)

#248 Fix issue with X-Auth-Request-Redirect header being ignored (@webnard)

#314 Add redirect capability to sign_out (@costelmoraru)

#265 Add upstream with static response (@cgroschupp)

#317 Add build for FreeBSD (@fnkr)

#296 Allow to override provider's name for sign-in page (@ffdybuster)

Source code(tar.gz)
Source code(zip)
oauth2_proxy-v4.1.0.darwin-amd64.go1.13.5.tar.gz(8.08 MB)
oauth2_proxy-v4.1.0.darwin-amd64-sha256sum.txt(121 bytes)
oauth2_proxy-v4.1.0.freebsd-amd64.go1.13.5.tar.gz(8.09 MB)
oauth2_proxy-v4.1.0.freebsd-amd64-sha256sum.txt(122 bytes)
oauth2_proxy-v4.1.0.linux-amd64.go1.13.5.tar.gz(8.12 MB)
oauth2_proxy-v4.1.0.linux-amd64-sha256sum.txt(120 bytes)
oauth2_proxy-v4.1.0.linux-arm64.go1.13.5.tar.gz(7.55 MB)
oauth2_proxy-v4.1.0.linux-arm64-sha256sum.txt(120 bytes)
oauth2_proxy-v4.1.0.linux-armv6.go1.13.5.tar.gz(7.46 MB)
oauth2_proxy-v4.1.0.linux-armv6-sha256sum.txt(120 bytes)
oauth2_proxy-v4.1.0.windows-amd64.go1.13.5.tar.gz(7.92 MB)
oauth2_proxy-v4.1.0.windows-amd64-sha256sum.txt(122 bytes)
v4.0.0(Aug 16, 2019)
Release Highlights

Documentation is now on a microsite

Health check logging can now be disabled for quieter logs

Authorization Header JWTs can now be verified by the proxy to skip authentication for machine users

Sessions can now be stored in Redis. This reduces refresh failures and uses smaller cookies (Recommended for those using OIDC refreshing)

Logging overhaul allows customisable logging formats

Important Notes

This release includes a number of breaking changes that will require users to reconfigure their proxies. Please read the Breaking Changes in the CHANGELOG thoroughly.

Please see the CHANGELOG for further details.
Source code(tar.gz)
Source code(zip)
oauth2_proxy-v4.0.0.darwin-amd64-sha256sum.txt(129 bytes)
oauth2_proxy-v4.0.0.darwin-amd64.go1.12.1.tar.gz(8.05 MB)
oauth2_proxy-v4.0.0.linux-amd64-sha256sum.txt(128 bytes)
oauth2_proxy-v4.0.0.linux-amd64.go1.12.1.tar.gz(8.10 MB)
oauth2_proxy-v4.0.0.linux-arm64-sha256sum.txt(128 bytes)
oauth2_proxy-v4.0.0.linux-arm64.go1.12.1.tar.gz(7.57 MB)
oauth2_proxy-v4.0.0.linux-armv6-sha256sum.txt(128 bytes)
oauth2_proxy-v4.0.0.linux-armv6.go1.12.1.tar.gz(7.56 MB)
oauth2_proxy-v4.0.0.windows-amd64-sha256sum.txt(130 bytes)
oauth2_proxy-v4.0.0.windows-amd64.go1.12.1.tar.gz(7.93 MB)
v3.2.0(Apr 12, 2019)
Release highlights

Internal restructure of session state storage to use JSON rather than proprietary scheme

Added health check options for running on GCP behind a load balancer

Improved support for protecting websockets

Added provider for login.gov

Allow manual configuration of OIDC providers

Important notes

Dockerfile user is now non-root, this may break your existing deployment

In the OIDC provider, when no email is returned, the ID Token subject will be used instead of returning an error

GitHub user emails must now be primary and verified before authenticating

Please see the CHANGELOG for further details.
Source code(tar.gz)
Source code(zip)
oauth2_proxy-darwin-amd64-sha256sum.txt(100 bytes)
oauth2_proxy-linux-amd64-sha256sum.txt(99 bytes)
oauth2_proxy-linux-arm64-sha256sum.txt(99 bytes)
oauth2_proxy-linux-armv6-sha256sum.txt(99 bytes)
oauth2_proxy-v3.2.0.darwin-amd64.go1.11.tar.gz(6.23 MB)
oauth2_proxy-v3.2.0.linux-amd64.go1.11.tar.gz(6.21 MB)
oauth2_proxy-v3.2.0.linux-arm64.go1.11.tar.gz(5.80 MB)
oauth2_proxy-v3.2.0.linux-armv6.go1.11.tar.gz(5.79 MB)
oauth2_proxy-v3.2.0.windows-amd64.go1.11.tar.gz(6.10 MB)
oauth2_proxy-windows-amd64-sha256sum.txt(101 bytes)
v3.1.0(Feb 9, 2019)
Release highlights

Introduction of ARM releases and and general improvements to Docker builds

Improvements to OIDC provider allowing pass-through of ID Tokens

Multiple redirect domains can now be whitelisted

Streamed responses are now flushed periodically

Important notes

If you have been using #bitly/621 and have cookies larger than the 4kb limit, the cookie splitting pattern has changed and now uses _ in place of - when indexing cookies. This will force users to reauthenticate the first time they use v3.1.0.

Streamed responses will now be flushed every 1 second by default. Previously streamed responses were flushed only when the buffer was full. To retain the old behaviour set --flush-interval=0. See #23 for further details.

Please see the CHANGELOG for further details.
Source code(tar.gz)
Source code(zip)
oauth2_proxy-darwin-amd64-sha256sum.txt(100 bytes)
oauth2_proxy-linux-amd64-sha256sum.txt(99 bytes)
oauth2_proxy-linux-arm64-sha256sum.txt(99 bytes)
oauth2_proxy-linux-armv6-sha256sum.txt(99 bytes)
oauth2_proxy-v3.1.0.darwin-amd64.go1.11.tar.gz(5.43 MB)
oauth2_proxy-v3.1.0.linux-amd64.go1.11.tar.gz(5.42 MB)
oauth2_proxy-v3.1.0.linux-arm64.go1.11.tar.gz(5.03 MB)
oauth2_proxy-v3.1.0.linux-armv6.go1.11.tar.gz(5.03 MB)
oauth2_proxy-v3.1.0.windows-amd64.go1.11.tar.gz(5.31 MB)
oauth2_proxy-windows-amd64-sha256sum.txt(101 bytes)
v3.0.0(Jan 14, 2019)

This release is functionally equivalent to the bitly v2.2 release.

All differences are contained within #7 (@JoelSpeed) which migrated the repository from Bitly to Pusher.

Please see the CHANGELOG for further details.
Source code(tar.gz)
Source code(zip)
oauth2_proxy-darwin-amd64-sha256sum.txt(100 bytes)
oauth2_proxy-linux-amd64-sha256sum.txt(99 bytes)
oauth2_proxy-v3.0.0-0-g7887272.darwin-amd64.go1.11.tar.gz(11.53 MB)
oauth2_proxy-v3.0.0-0-g7887272.linux-amd64.go1.11.tar.gz(11.54 MB)
oauth2_proxy-v3.0.0-0-g7887272.windows-amd64.go1.11.tar.gz(11.33 MB)
oauth2_proxy-windows-amd64-sha256sum.txt(101 bytes)

A reverse proxy that provides authentication with Google, Github or other providers.

Related tags

Overview

Installation

Security

Docs

Getting Involved

Contributing

Issues

Expected Behavior

Current Behavior

Steps to Reproduce (for bugs)

Your Environment

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

Description

Motivation and Context

How Has This Been Tested?

Checklist:

Description

Motivation and Context

How Has This Been Tested?

Checklist:

Description

Motivation and Context

How Has This Been Tested?

Checklist:

Description

Motivation and Context

How Has This Been Tested?

Checklist:

Expected Behavior

Current Behavior

Possible Solution

Context

Your Environment

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

Your Environment

Description

Motivation and Context

How Has This Been Tested?

Checklist:

Description

Motivation and Context

How Has This Been Tested?

Checklist:

Description

Motivation and Context

How Has This Been Tested?

Checklist:

Expected Behavior

github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests

Context

Your Environment

Releases(v7.2.1)

v7.2.1(Dec 22, 2021)

Release Highlights

Important Notes

Breaking Changes

Changes since v7.2.0

v7.2.0(Oct 23, 2021)

Release Highlights

Important Notes

Breaking Changes

Changes since v7.1.3

v7.1.3(Apr 28, 2021)

Release Highlights

Important Notes