Merge branch 'master' into feature/release-automation

.github/workflows/docs.yaml

@@ -9,63 +9,64 @@ on:
     paths: ['docs/**']
 
 jobs:
-  checks:
-    if: github.event_name != 'push'
+  pull-request-check:
+    if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v1
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v3
         with:
-          node-version: '17.x'
+          node-version: 18
+
       - name: Test Build
         working-directory: ./docs
-        env:
-          NODE_OPTIONS: --openssl-legacy-provider
         run: |
-          if [ -e yarn.lock ]; then
-          yarn install --frozen-lockfile
-          elif [ -e package-lock.json ]; then
           npm ci
-          else
-          npm i
-          fi
           npm run build
-  gh-release:
-    if: github.event_name != 'pull_request'
+
+  gh-pages-release:
+    if: github.event_name == 'push'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v1
+      - uses: actions/checkout@v4
         with:
-          node-version: '17.x'
-      - name: Add key to allow access to repository
-        env:
-          SSH_AUTH_SOCK: /tmp/ssh_agent.sock
-          NODE_OPTIONS: --openssl-legacy-provider
+          path: master
+
+      - uses: actions/checkout@v4
+        with:
+          ref: gh-pages
+          path: gh-pages
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+
+      - name: Build docusaurus
+        working-directory: master/docs
+        id: build
         run: |
-          mkdir -p ~/.ssh
-          ssh-keyscan github.com >> ~/.ssh/known_hosts
-          echo "${{ secrets.GH_PAGES_DEPLOY }}" > ~/.ssh/id_rsa
-          chmod 600 ~/.ssh/id_rsa
-          cat <<EOT >> ~/.ssh/config
-          Host github.com
-          HostName github.com
-          IdentityFile ~/.ssh/id_rsa
-          EOT
-      - name: Release to GitHub Pages
-        working-directory: ./docs
+          echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+          npm ci
+          npm run build
+
+      - name: Release to github pages
         env:
-          USE_SSH: true
-          GIT_USER: git
-          NODE_OPTIONS: --openssl-legacy-provider
+          GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        working-directory: gh-pages
         run: |
-          git config --global user.email "actions@gihub.com"
-          git config --global user.name "gh-actions"
-          if [ -e yarn.lock ]; then
-          yarn install --frozen-lockfile
-          elif [ -e package-lock.json ]; then
-          npm ci
-          else
-          npm i
-          fi
-          npx docusaurus deploy
+          git config --local user.name "github-actions[bot]"
+          git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          # Remove all files except .git
+          git rm -r *
+
+          # Copy the build files from master/docs/build to gh-pages
+          cp -r ../master/docs/build/* .
+
+          # Commit and push
+          git add .
+          git commit -m "Update documentation based on ${{ steps.build.outputs.sha }}"
+          git push origin gh-pages

CHANGELOG.md

@@ -6,11 +6,33 @@
 
 ## Breaking Changes
 
+## Changes since v7.5.1
+
+# V7.5.1
+
+## Release Highlights
+- 🐛 Several bugs have been squashed
+- 🕵️‍♀️ Vulnerabilities have been addressed
+- 📖Improved docs
+
+## Important Notes
+
+- This release includes fixes for a number of CVEs, we recommend to upgrade as soon as possible.
+- The environment variable OAUTH2_PROXY_GOOGLE_GROUP has been deprecated in favor of OAUTH2_PROXY_GOOGLE_GROUPS. Next major release
+will remove this option. This change makes sure that the configuration options follow the documentation.
+
+## Breaking Changes
+
+N/A
+
 ## Changes since v7.5.0
 - [#2220](https://github.com/oauth2-proxy/oauth2-proxy/pull/2220) Added binary and docker release platforms (@kvanzuijlen)
 - [#2221](https://github.com/oauth2-proxy/oauth2-proxy/pull/2221) Backwards compatible fix for wrong environment variable name (OAUTH2_PROXY_GOOGLE_GROUPS) (@kvanzuijlen)
-- [#1989](https://github.com/oauth2-proxy/oauth2-proxy/pull/1989) Fix default scope for keycloak-oidc provider
+- [#1989](https://github.com/oauth2-proxy/oauth2-proxy/pull/1989) Fix default scope for keycloak-oidc provider (@tuunit)
 - [#2217](https://github.com/oauth2-proxy/oauth2-proxy/pull/2217) Upgrade alpine to version 3.18 (@polarctos)
+- [#2208](https://github.com/oauth2-proxy/oauth2-proxy/pull/2208) Improved session documentation (@lathspell)
+- [#2229](https://github.com/oauth2-proxy/oauth2-proxy/pull/2229) bugfix: default scopes for OIDCProvider based providers (@tuunit)
+- [#2194](https://github.com/oauth2-proxy/oauth2-proxy/pull/2194) Fix Gitea token validation (@tuunit)
 
 # V7.5.0
 
@@ -24,6 +46,8 @@
 ## Important Notes
 
 - This release includes fixes for a number of CVEs, we recommend to upgrade as soon as possible.
+- This release was pushed with the wrong Docker platform type for arm64/armv8. Use v7.5.1 instead.
+- This release introduced a bug with the Keycloak OIDC provider causing no scopes to be send along with the request. Use v7.5.1 instead.
 
 ## Breaking Changes
 

contrib/local-environment/Makefile

@@ -1,34 +1,42 @@
 .PHONY: up
 up:
-	docker-compose up -d
+	docker compose up -d
 
 .PHONY: %
 %:
-	docker-compose $*
+	docker compose $*
 
 .PHONY: alpha-config-up
 alpha-config-up:
-	docker-compose -f docker-compose.yaml -f docker-compose-alpha-config.yaml up -d
+	docker compose -f docker-compose.yaml -f docker-compose-alpha-config.yaml up -d
 
 .PHONY: alpha-config-%
 alpha-config-%:
-	docker-compose -f docker-compose.yaml -f docker-compose-alpha-config.yaml $*
+	docker compose -f docker-compose.yaml -f docker-compose-alpha-config.yaml $*
 
 .PHONY: nginx-up
 nginx-up:
-	docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml up -d
+	docker compose -f docker-compose.yaml -f docker-compose-nginx.yaml up -d
 
 .PHONY: nginx-%
 nginx-%:
-	docker-compose -f docker-compose.yaml -f docker-compose-nginx.yaml $*
+	docker compose -f docker-compose.yaml -f docker-compose-nginx.yaml $*
 
 .PHONY: keycloak-up
 keycloak-up:
-	docker-compose -f docker-compose-keycloak.yaml up -d
+	docker compose -f docker-compose-keycloak.yaml up -d
 
 .PHONY: keycloak-%
 keycloak-%:
-	docker-compose -f docker-compose-keycloak.yaml $*
+	docker compose -f docker-compose-keycloak.yaml $*
+
+.PHONY: gitea-up
+gitea-up:
+	docker compose -f docker-compose-gitea.yaml up -d
+
+.PHONY: gitea-%
+gitea-%:
+	docker compose -f docker-compose-gitea.yaml $*
 
 .PHONY: kubernetes-up
 kubernetes-up:
@@ -41,8 +49,8 @@ kubernetes-down:
 
 .PHONY: traefik-up
 traefik-up:
-	docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml up -d
+	docker compose -f docker-compose.yaml -f docker-compose-traefik.yaml up -d
 
 .PHONY: traefik-%
 traefik-%:
-	docker-compose -f docker-compose.yaml -f docker-compose-traefik.yaml $*
+	docker compose -f docker-compose.yaml -f docker-compose-traefik.yaml $*

contrib/local-environment/docker-compose-gitea.yaml

@@ -0,0 +1,65 @@
+# This docker-compose file can be used to bring up an example instance of oauth2-proxy
+# for manual testing and exploration of features.
+# Alongside OAuth2-Proxy, this file also starts Gitea to act as the identity provider,
+# HTTPBin as an example upstream.
+#
+# This can either be created using docker-compose
+#    docker-compose -f docker-compose-gitea.yaml <command>
+# Or:
+#    make gitea-<command> (eg. make gitea-up, make gitea-down)
+#
+# Access http://oauth2-proxy.localtest.me:4180 to initiate a login cycle using user=admin@example.com, password=password
+# Access http://gitea.localtest.me:3000 with the same credentials to check out the settings
+version: '3.0'
+services:
+  oauth2-proxy:
+    container_name: oauth2-proxy
+    image: gitea-oauth #quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
+    command: --config /oauth2-proxy.cfg
+    hostname: oauth2-proxy
+    volumes:
+      - "./oauth2-proxy-gitea.cfg:/oauth2-proxy.cfg"
+    restart: unless-stopped
+    networks:
+      gitea: {}
+      httpbin: {}
+      oauth2-proxy: {}
+    depends_on:
+      - httpbin
+      - gitea
+    ports:
+      - 4180:4180/tcp
+
+  httpbin:
+    container_name: httpbin
+    image: kennethreitz/httpbin:latest
+    hostname: httpbin
+    ports:
+      - 8080:80
+    networks:
+      httpbin:
+        aliases:
+          - httpbin.localtest.me
+
+  gitea:
+    image: gitea/gitea:latest
+    container_name: gitea
+    environment:
+      - USER_UID=1000
+      - USER_GID=1000
+    restart: always
+    networks:
+      gitea:
+        aliases:
+          - gitea.localtest.me
+    volumes:
+      - /etc/timezone:/etc/timezone:ro
+      - /etc/localtime:/etc/localtime:ro
+    ports:
+      - "3000:3000"
+      - "222:22"
+
+networks:
+  httpbin: {}
+  gitea: {}
+  oauth2-proxy: {}

contrib/local-environment/oauth2-proxy-gitea.cfg

@@ -0,0 +1,19 @@
+http_address="0.0.0.0:4180"
+cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
+email_domains=["localhost"]
+cookie_secure="false"
+upstreams="http://httpbin"
+cookie_domains=[".localtest.me"] # Required so cookie can be read on all subdomains.
+whitelist_domains=[".localtest.me"] # Required to allow redirection back to original requested target.
+
+client_id="ef0c2b91-2e38-4fa8-908d-067a35dbb71c"
+client_secret="gto_qdppomn2p26su5x46tyixj7bcny5m5er2s67xhrponq2qtp66f3a"
+redirect_url="http://oauth2-proxy.localtest.me:4180/oauth2/callback"
+
+# gitea provider
+provider="github"
+provider_display_name="Gitea"
+login_url="http://gitea.localtest.me:3000/login/oauth/authorize"
+redeem_url="http://gitea.localtest.me:3000/login/oauth/access_token"
+validate_url="http://gitea.localtest.me:3000/api/v1/user/emails"
+

contrib/oauth2-proxy.cfg.example

@@ -71,7 +71,7 @@
 
 ## mark paths as API routes to get HTTP Status code 401 instead of redirect to login page
 # api_routes = [
-#   "^/api
+#   "^/api"
 # ]
 
 ## Templates

docs/docs/configuration/auth.md

@@ -12,6 +12,7 @@ Valid providers are :
 - [ADFS](#adfs-auth-provider)
 - [Facebook](#facebook-auth-provider)
 - [GitHub](#github-auth-provider)
+- [Gitea](#gitea-auth-provider)
 - [Keycloak](#keycloak-auth-provider)
 - [GitLab](#gitlab-auth-provider)
 - [LinkedIn](#linkedin-auth-provider)
@@ -21,7 +22,6 @@ Valid providers are :
 - [Nextcloud](#nextcloud-provider)
 - [DigitalOcean](#digitalocean-auth-provider)
 - [Bitbucket](#bitbucket-auth-provider)
-- [Gitea](#gitea-auth-provider)
 
 The provider can be selected using the `provider` configuration value.
 
@@ -177,6 +177,25 @@ If you are using GitHub enterprise, make sure you set the following to the appro
     -redeem-url="http(s)://<enterprise github host>/login/oauth/access_token"
     -validate-url="http(s)://<enterprise github host>/api/v3"
 
+### Gitea Auth Provider
+
+1. Create a new application: `https://< your gitea host >/user/settings/applications`
+2. Under `Redirect URI` enter the correct URL i.e. `https://<proxied host>/oauth2/callback`
+3. Note the Client ID and Client Secret.
+4. Pass the following options to the proxy:
+
+```
+    --provider="github"
+    --redirect-url="https://<proxied host>/oauth2/callback"
+    --provider-display-name="Gitea"
+    --client-id="< client_id as generated by Gitea >"
+    --client-secret="< client_secret as generated by Gitea >"
+    --login-url="https://< your gitea host >/login/oauth/authorize"
+    --redeem-url="https://< your gitea host >/login/oauth/access_token"
+    --validate-url="https://< your gitea host >/api/v1/user/emails"
+```
+
+
 ### Keycloak Auth Provider
 
 :::note 
@@ -660,24 +679,6 @@ To use the provider, pass the following options:
 The default configuration allows everyone with Bitbucket account to authenticate. To restrict the access to the team members use additional configuration option: `--bitbucket-team=<Team name>`. To restrict the access to only these users who has access to one selected repository use `--bitbucket-repository=<Repository name>`.
 
 
-### Gitea Auth Provider
-
-1. Create a new application: `https://< your gitea host >/user/settings/applications`
-2. Under `Redirect URI` enter the correct URL i.e. `https://<proxied host>/oauth2/callback`
-3. Note the Client ID and Client Secret.
-4. Pass the following options to the proxy:
-
-```
-    --provider="github"
-    --redirect-url="https://<proxied host>/oauth2/callback"
-    --provider-display-name="Gitea"
-    --client-id="< client_id as generated by Gitea >"
-    --client-secret="< client_secret as generated by Gitea >"
-    --login-url="https://< your gitea host >/login/oauth/authorize"
-    --redeem-url="https://< your gitea host >/login/oauth/access_token"
-    --validate-url="https://< your gitea host >/api/v1"
-```
-
 
 ## Email Authentication
 

docs/docusaurus.config.js

@@ -54,4 +54,13 @@ module.exports = {
       },
     ],
   ],
+  themes: [
+    [
+      require.resolve("@easyops-cn/docusaurus-search-local"),
+      /** @type {import("@easyops-cn/docusaurus-search-local").PluginOptions} */
+      ({
+        hashed: true,
+      }),
+    ],
+  ],
 };