forked from oauth2-proxy/oauth2-proxy
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request oauth2-proxy#2792 from oauth2-proxy/release/v7.7.0
release v7.7.0
- Loading branch information
Showing
45 changed files
with
2,784 additions
and
108 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| --- | ||
| id: behaviour | ||
| title: Behaviour | ||
| --- | ||
|
|
||
| 1. Any request passing through the proxy (and not matched by `--skip-auth-regex`) is checked for the proxy's session cookie (`--cookie-name`) (or, if allowed, a JWT token - see `--skip-jwt-bearer-tokens`). | ||
| 2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with `Accept: application/json`, in which case 401 Unauthorized is returned) | ||
| 3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set | ||
| 4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration) | ||
|
|
||
| Notice that the proxy also provides a number of useful [endpoints](features/endpoints.md). |
78 changes: 78 additions & 0 deletions
78
docs/versioned_docs/version-7.7.x/community/contribution.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| --- | ||
| id: contribution | ||
| title: Contribution Guide | ||
| --- | ||
|
|
||
| We track bugs and issues using Github. | ||
|
|
||
| If you find a bug, please open an Issue. When opening an Issue or Pull Request please follow the preconfigured template and take special note of the checkboxes. | ||
|
|
||
| If you want to fix a bug, add a new feature or extend existing functionality, please create a fork, create a feature branch and open a PR back to this repo. | ||
| Please mention open bug issue number(s) within your PR if applicable. | ||
|
|
||
| We suggest using [Visual Studio Code](https://code.visualstudio.com/docs/languages/go) with the official [Go for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=golang.go) extension. | ||
|
|
||
|
|
||
| # Go version | ||
|
|
||
| This project is currently still using go 1.22. You can follow the installation guide for go [here.](https://go.dev/doc/install) And you can find go version 1.22 in the archived section [here.](https://go.dev/dl/) | ||
|
|
||
| # Preparing your fork | ||
| Clone your fork, create a feature branch and update the depedencies to get started. | ||
| ```bash | ||
| git clone git@github.com:<YOUR_FORK>/oauth2-proxy | ||
| cd oauth2-proxy | ||
| git branch feature/<BRANCH_NAME> | ||
| git push --set-upstream origin feature/<BRANCH_NAME> | ||
| go mod download | ||
| ``` | ||
|
|
||
|
|
||
| # Testing / Debugging | ||
| For starting oauth2-proxy locally open the debugging tab and create the `launch.json` and select `Go: Launch Package`. | ||
|
|
||
|  | ||
| ```json | ||
| { | ||
| "version": "0.2.0", | ||
| "configurations": [ | ||
| { | ||
| "name": "Launch OAuth2-Proxy with Dex", | ||
| "type": "go", | ||
| "request": "launch", | ||
| "mode": "auto", | ||
| "program": "${workspaceFolder}", | ||
| "args": [ | ||
| "--config", | ||
| // The following configuration contains settings for a locally deployed | ||
| // upstream and dex as an idetity provider | ||
| "contrib/local-environment/oauth2-proxy.cfg" | ||
| ] | ||
| }, | ||
| { | ||
| "name": "Launch OAuth2-Proxy with Keycloak", | ||
| "type": "go", | ||
| "request": "launch", | ||
| "mode": "auto", | ||
| "program": "${workspaceFolder}", | ||
| "args": [ | ||
| "--config", | ||
| // The following configuration contains settings for a locally deployed | ||
| // upstream and keycloak as an idetity provider | ||
| "contrib/local-environment/oauth2-proxy-keycloak.cfg" | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ``` | ||
|
|
||
| Before you can start your local version of oauth2-proxy, you will have to use the provided docker compose files to start a local upstream service and identity provider. We suggest using [httpbin](https://hub.docker.com/r/kennethreitz/httpbin) as your upstream for testing as it allows for request and response introspection of all things HTTP. | ||
|
|
||
| Open a terminal and switch to the `contrib/local-environment` directory. | ||
|
|
||
| - Dex as your IdP: `docker compose -f docker-compose.yaml up dex etcd httpbin` | ||
| - Keycloak as your IdP: `docker compose -f docker-compose-keycloak.yaml up keycloak httpbin` | ||
|
|
||
| The username for both is `admin@example.com` and password is `password`. | ||
|
|
||
| Start oauth2-proxy from the debug tab and open http://oauth2-proxy.localtest.me:4180/ for testing. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| --- | ||
| id: security | ||
| title: Security | ||
| --- | ||
|
|
||
| :::note | ||
| OAuth2 Proxy is a community project. | ||
| Maintainers do not work on this project full time, and as such, | ||
| while we endeavour to respond to disclosures as quickly as possible, | ||
| this may take longer than in projects with corporate sponsorship. | ||
| ::: | ||
|
|
||
| ## Security Disclosures | ||
|
|
||
| :::important | ||
| If you believe you have found a vulnerability within OAuth2 Proxy or any of its | ||
| dependencies, please do NOT open an issue or PR on GitHub, please do NOT post | ||
| any details publicly. | ||
| ::: | ||
|
|
||
| Security disclosures MUST be done in private. | ||
| If you have found an issue that you would like to bring to the attention of the | ||
| maintenance team for OAuth2 Proxy, please compose an email and send it to the | ||
| list of maintainers in our [MAINTAINERS](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/MAINTAINERS) file. | ||
|
|
||
| Please include as much detail as possible. | ||
| Ideally, your disclosure should include: | ||
| - A reproducible case that can be used to demonstrate the exploit | ||
| - How you discovered this vulnerability | ||
| - A potential fix for the issue (if you have thought of one) | ||
| - Versions affected (if not present in master) | ||
| - Your GitHub ID | ||
|
|
||
| ### How will we respond to disclosures? | ||
|
|
||
| We use [GitHub Security Advisories](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories) | ||
| to privately discuss fixes for disclosed vulnerabilities. | ||
| If you include a GitHub ID with your disclosure we will add you as a collaborator | ||
| for the advisory so that you can join the discussion and validate any fixes | ||
| we may propose. | ||
|
|
||
| For minor issues and previously disclosed vulnerabilities (typically for | ||
| dependencies), we may use regular PRs for fixes and forego the security advisory. | ||
|
|
||
| Once a fix has been agreed upon, we will merge the fix and create a new release. | ||
| If we have multiple security issues in flight simultaneously, we may delay | ||
| merging fixes until all patches are ready. | ||
| We may also backport the fix to previous releases, | ||
| but this will be at the discretion of the maintainers. |
Oops, something went wrong.