Secure by Default

CHANGELOG.md

@@ -1,5 +1,5 @@
 
-#### **2.1.2 (Unreleased)**
+#### **2.2.0 (Unreleased)**
 
 FEATURES:
 * Added a `--enable-default-deny` option to make denial by default [#PR320](https://github.com/gambol99/keycloak-proxy/pull/320)
@@ -31,6 +31,9 @@ FIXES:
 * Fixed the issue with a zero exp claim [#PR355](https://github.com/gambol99/keycloak-proxy/pull/355)
 * Added a method check for the hijacker [#PR302](https://github.com/gambol99/keycloak-proxy/pull/302)
 
+BREAKING CHANGES:
+* Making the cookies session only by default and turning the default denial on [#PR368](https://github.com/gambol99/keycloak-proxy/pull/368)
+
 #### **2.1.1**
 
 FEATURES:

README.md

@@ -22,6 +22,7 @@
   - Let's Encrypt support
 
 ----
+> **Note**: since v2.2.0 session-only cookies and default denial is switched on by default; though both of these can be altered on the command line or config.
 
 Keycloak-proxy is a proxy service which at the risk of stating the obvious integrates with the [Keycloak](https://github.com/keycloak/keycloak) authentication service. Although technically the service has no dependency on Keycloak itself and would quite happily work with any OpenID provider. The service supports both access tokens in browser cookie or bearer tokens.
 
@@ -34,7 +35,7 @@ USAGE:
    keycloak-proxy [options]
 
 VERSION:
-   v2.1.1 (git+sha: c1e8399-dirty, built: 12-05-2018)
+   v2.2.0 (git+sha: 72a3646-dirty, built: 25-05-2018)
 
 AUTHOR:
    Rohith <gambol99@gmail.com>
@@ -252,7 +253,7 @@ bin/keycloak-proxy \
     --resources="uri=/public/*|white-listed=true"
 ```
 
-The **recommended** deployment to use a default denial to all requests via `--enable-default-deny=true` or `--resources="uri=/*"` and to then explicityly allow what you want through.
+Note from release 2.2.0 the `--enable-default-deny` is true by default and should explicityly allow what you want through.
 
 #### **HTTP Routing**
 
@@ -286,6 +287,10 @@ DEBU[0002] resource access permitted: /favicon.ico       access=permitted bearer
 2016-02-06 13:59:01.856716 I | http: proxy error: dial tcp 127.0.0.1:8081: getsockopt: connection refused
 ```
 
+#### **Session Only Cookies**
+
+By default the access and refresh cookies are session only and disposed of on broswer close; you can disable this feature via the `--enable-session-cookies` option.
+
 #### **Forward Signing Proxy**
 
 Forward signing provides a mechanism for authentication and authorization between services using tokens issued from the IDp. When operating with in the mode the proxy will automatically acquire an access token (handling the refreshing or logins on your behalf) and tag outbound requests with a Authorization header. You can control which domains are tagged with the --forwarding-domains option. Note, this option use a **contains** comparison on domains. So, if you wanted to match all domains under *.svc.cluster.local can and simply use: --forwarding-domain=svc.cluster.local.

config.go

@@ -32,6 +32,8 @@ func newDefaultConfig() *Config {
 		CookieRefreshName:           "kc-state",
 		EnableAuthorizationCookies:  true,
 		EnableAuthorizationHeader:   true,
+		EnableDefaultDeny:           true,
+		EnableSessionCookies:        true,
 		EnableTokenHeader:           true,
 		Headers:                     make(map[string]string),
 		LetsEncryptCacheDir:         "./cache/",

doc.go

@@ -27,7 +27,7 @@ import (
 )
 
 var (
-	release  = "v2.1.1"
+	release  = "v2.2.0"
 	gitsha   = "no gitsha provided"
 	compiled = "0"
 	version  = ""