Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support to pass tokens #104

Merged
merged 41 commits into from
May 22, 2019
Merged

Add support to pass tokens #104

merged 41 commits into from
May 22, 2019

Conversation

artagel
Copy link
Contributor

@artagel artagel commented Apr 14, 2019

I believe this fixes #74, by adding the support to pass tokens to downstream apps.
Fixes #43
I also believe this is a more complete implementation of #71, which was focused on ADFS. This works for all providers.

@artagel artagel closed this Apr 16, 2019
@artagel artagel deleted the add_support_to_pass_tokens branch April 16, 2019 14:08
@bnfinet
Copy link
Member

bnfinet commented Apr 16, 2019

@artagel did you mean to close the PR or is that GitHub being too smart for us.

Sorry for the delay in reviewing.

@artagel
Copy link
Contributor Author

artagel commented Apr 16, 2019

/sigh.. no :)

@artagel artagel restored the add_support_to_pass_tokens branch April 16, 2019 14:16
@bnfinet
Copy link
Member

bnfinet commented Apr 16, 2019

:)

@bnfinet bnfinet reopened this Apr 16, 2019
@karthikv2k
Copy link

I am looking forward to get this feature. This is useful for securing services running in https://cloud.google.com/run/ that currently needs a header with a JWT.

@karthikv2k
Copy link

Thanks for the PR @artagel

@bnfinet
Copy link
Member

bnfinet commented Apr 23, 2019

@karthikv2k have you confirmed that the PR works well for that config? If not, would you be in a position to test that?

@karthikv2k
Copy link

@bnfinet I tested by running vouch proxy locally and connecting it a cloud run service and it works :) Next step is to run the vouch proxy itself as a cloud run service and test. I will get that done by tomorrow.
The end result will have two services, one Nginx+Vouch and other is the destination service. In this way, the destination service run can use cloud run's IAM policy to authorize users for each service separately. Nginx and vouch does the job of reverse proxy, oauth flow, and passing the user's JWT token.

@karthikv2k
Copy link

@bnfinet I tested this PR in cloud run (as described in my prev comment) and it works.

@bnfinet
Copy link
Member

bnfinet commented Apr 26, 2019
edited
Loading

Thanks so much for doing that @karthikv2k

Much appreciated!

@karthikv2k
Copy link

karthikv2k commented May 2, 2019
edited
Loading

https://github.com/karthikv2k/oauth_reverse_proxy has the config to work with cloud run.
Any help I can do to get this PR merged?

artagel and others added 19 commits May 2, 2019 10:54
@artagel @bnfinet
Add support for grabbing claims from the return of getuserinfo functi…
e24bd02 
…ons for all providers.
@artagel @bnfinet
Fix function argument order for updated customclaim support.
cc27f86
@artagel @bnfinet
Create the JWT token with newly added customClaims.
ee16254
@artagel @bnfinet
Add new config option 'claimheader'
7d6ae61
@artagel @bnfinet
Make ClaimHeader default to X-Vouch-IdP-Claims-
27cd957
@artagel @bnfinet
Add claims to headers.
5d7b562
@artagel @bnfinet
Rework customClaims variable into a struct to be reusable and passabl…
4d58a80 
…e to jwt functions.
@artagel @bnfinet
Add some useful logging.
5ce18bd
@artagel @bnfinet
Update README and config example to include custom claim support.
ca7d295
@artagel @bnfinet
Ensure config example comments out the optional param for header cust…
8d5f25f 
…om claims.
@artagel @bnfinet
Update jwt tests to support claims.
06a0c49
@bnfinet
fix #115 state variable alpha num
346ac40
@bnfinet
Merge branch 'master' into artagel-allow_users_to_store_claims_in_JWT
c98e490
@artagel @bnfinet
Make client_secret optional for oidc and adfs. Keycloak (generic oidc…
f85c582 
…) specifically allows setting of 'authorized' clients, without this setting the client_secret is not needed. ADFS also only requires client_secret for server applications, and other clients do not need it, and error if they receive it.
@bnfinet
Merge branch 'artagel-make_client_secret_optional'
229f735
@bnfinet
Merge branch 'general_fixes_and_unit_testing' of git://github.com/art…
265ee5d 
…agel/vouch-proxy into artagel-general_fixes_and_unit_testing
@bnfinet
#113 rename variables, formatting
85c593f
@bnfinet
Merge branch 'add_support_to_pass_tokens' of git://github.com/artagel…
5939a7e 
…/vouch-proxy into artagel-add_support_to_pass_tokens
@bnfinet
#104 use 1of3 2of3 4of3 for multipart cookies
b1bb31d
@bnfinet
Copy link
Member

bnfinet commented May 3, 2019

@karthikv2k can you please test the branch artagel-add_support_to_pass_tokens

we're getting closer to full merge :)

@karthikv2k
Copy link

@bnfinet, I am able to test artagel-add_support_to_pass_tokens and it works as expected. Updated the setup details in https://github.com/karthikv2k/oauth_reverse_proxy

@bnfinet
Copy link
Member

bnfinet commented May 6, 2019 via email

@bnfinet bnfinet merged commit 5930747 into vouch:master May 22, 2019
This was referenced May 22, 2019
Closed
Closed
@bnfinet bnfinet mentioned this pull request Aug 26, 2019
Closed
bnfinet added a commit that referenced this pull request May 22, 2020
@bnfinet
#104 use 1of3 2of3 4of3 for multipart cookies
789ac29
bnfinet added a commit that referenced this pull request May 22, 2020
@bnfinet
#104 and #109 large cookies full of tokens
dba94fe
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@artagel @bnfinet @karthikv2k @twelve34 @simongottschlag