Open
Conversation
Create FUNDING.yml
* upgrade to go1.24.5 dependency updates lint fixes chore(deps): upgrade github.com/spf13/viper to v1.20.1 Note that this upgrade also implied to upgrade github.com/mitchellh/mapstructure (nowadays unmaintained: https://gist.github.com/mitchellh/90029601268e59a29e64e55bab1c5bdc) to github.com/go-viper/mapstructure/v2. fix: adapt tests to match mapstructure v2 error messages pkg/apis/options/load_test.go: skip tests on Go 1.23 Add a compile guard for Go < 1.24 for the pkg/apis/options/load_test.go because the LoadYAML test depends on error messages produced by encoding/json that changed slightly (names of embedded structs are now reported). As we updated the test for go1.24, the test now fails on 1.23, but just for a slight difference, so we disable the test there. fix: adapt tests to match mapstructure v2 error messages remove pre 1.24 disclaimer add changelog entry Signed-off-by: Jan Larwig <jan@larwig.com> Co-Authored-By: Olivier Mengué <dolmen@cpan.org> * add exclusion for 'avoid meaningless package names' in .golangci.yml * chore(dep): upgrade all dependencies Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Olivier Mengué <dolmen@cpan.org> Co-authored-by: Jan Larwig <jan@larwig.com>
…h2-proxy#3111) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
… ^0.51.0 (oauth2-proxy#3098) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* chore(deps): update alpine docker tag to v3.22.0 * add changelog entry Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: return error for empty Redis URL list * add changelog entry Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
release v7.10.0
… ^0.52.0 (oauth2-proxy#3131) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
…y#3133) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
* Allow setting maximum number of csrf cookies, deleting the oldest if necessary * Add a test for multiple CSRF cookies to remove the old cookie * Add docs/changelog * If limit is <=0 do not clear Signed-off-by: test <bert@transtrend.com> * Better docs Co-authored-by: Jan Larwig <jan@larwig.com> * direct check of option value Co-authored-by: Jan Larwig <jan@larwig.com> * direct use of option value Co-authored-by: Jan Larwig <jan@larwig.com> * sort based on clock compare vs time compare Co-authored-by: Jan Larwig <jan@larwig.com> * clock.Clock does not implement Compare, fix csrf cookie extraction after rename Signed-off-by: Bert Helderman <bert@transtrend.com> * Linter fix * add method signature documentation and slight formatting Signed-off-by: Jan Larwig <jan@larwig.com> * fix: test case for csrf cookie limit and flag Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Bert Helderman <bert@transtrend.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: test <bert@transtrend.com> Co-authored-by: bh-tt <71650427+bh-tt@users.noreply.github.com>
* fix: redirect on invalid cookie * docs: update changelog * chore: remove duplicated code * fix: status code handling if wrong http method is used --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
* Change Dex port in local-environment from 4190 to 5556 Port 4190 is blocked by standards-compliant browsers (e.g. Firefox), as per https://fetch.spec.whatwg.org/#port-blocking. Port 5556 is used by Dex in its example config files: https://github.com/dexidp/dex/blob/745e1114f341e849f3b0edde45b39c14017deaf8/examples/config-dev.yaml#L50 * Fix upstream in local-environment/oauth2-proxy.cfg http://httpbin.localtest.me:8080 is only exposed to the host, not to httpbin Docker network. Causes Bad Gateway before. * Do not expose unauthenticated httpbin service in local-environment This defeats the point of having oauth2-proxy. It has already been misleading by causing the bug fixed in cafc6af. It serves as a bad example: users might accidentally expose the service they're trying to protect in the first place. * Remove unnecessary httpbin.localtest.me alias from local-environment
…xy#2743) * feat: Allow use more possible google admin-sdk api scopes. * reduce cognitive complexity Signed-off-by: Bob Du <i@bobdu.cc> * remove unnecessary else block / indentation Signed-off-by: Jan Larwig <jan@larwig.com> * add changelog entry Signed-off-by: Jan Larwig <jan@larwig.com> * slight formatting and error message rephrasing Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Bob Du <i@bobdu.cc> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
* Add SourceHut (sr.ht) provider * fix changelog entry Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
…running envsubst (oauth2-proxy#2524) * Perform a regex replace of $NUM to $$NUM before running envsubst * Perform a regex replace of $NUM to $$NUM before running envsubst * add test case; fix linter warnings; add method documentation Signed-off-by: Jan Larwig <jan@larwig.com> * add changelog entry Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
…y#3104) * feat: add feature support for cookie-secret-file --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-Authored-By: Sandy Chen <Yuxuan.Chen@morganstanley.com> Co-authored-by: Jan Larwig <jan@larwig.com>
…viders (oauth2-proxy#3055) * fix: OIDC sets response mode * Update CHANGELOG
add test cases update documentation refactor code and some cleanup update changelog Signed-off-by: Jan Larwig <jan@larwig.com>
…ssions (oauth2-proxy#3093) * add some better error handling * add changelog entry Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
* add new docs version 7.11.x * update to release version v7.11.0 * add changelog entry for v7.11.0 Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jan Larwig <jan@larwig.com>
…3290) * Fix WebSocket proxy to respect PassHostHeader setting When PassHostHeader is set to false, the regular HTTP proxy correctly sets the Host header to the upstream backend URL. However, the WebSocket proxy was not respecting this setting, causing WebSocket connections to fail when backend services validate the Host header. This commit: - Adds passHostHeader parameter to newWebSocketReverseProxy() - Applies setProxyUpstreamHostHeader() when PassHostHeader=false - Ensures consistent behavior between HTTP and WebSocket proxies Fixes oauth2-proxy#3288 Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com> * chore(): add tests, update changelog Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com> --------- Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com>
* docs: clarify secret file format requirements Signed-off-by: shri3016] <shriyaktarcar@gmail.com> * doc: backport to v7.13 and v7.12 Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: shri3016] <shriyaktarcar@gmail.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
release v7.14.0
* fix: Return 302 redirect from AuthOnly when skip-provider-button is true When SkipProviderButton is enabled and a user needs to login, the AuthOnly endpoint now returns a 302 redirect directly to the OAuth provider instead of returning 401. This fixes an issue with nginx auth_request architecture where 401 triggers error_page handling, which can break redirect flows because nginx overrides the status code (e.g., to 403), and browsers don't follow Location headers for non-3xx responses. Fixes: oauth2-proxy#334 Signed-off-by: Stefan Markmann <stefan@markmann.net> * update docs and changelog Signed-off-by: Stefan Markmann <stefan@markmann.net> * test: Add specific OAuth redirect assertions per code review feedback Improve TestAuthOnlyEndpointRedirectWithSkipProviderButton to verify that the Location header actually redirects to the OAuth provider's authorize endpoint with required parameters (client_id, redirect_uri, state), not just that a Location header exists. Signed-off-by: Stefan Markmann <stefan@markmann.net> * refactor: Flatten AuthOnly error handling structure Move the SkipProviderButton check outside of the nested err != nil block using an if-else structure. This makes the special case more visible and reduces nesting depth without changing behavior. Signed-off-by: Stefan Markmann <stefan@markmann.net> * doc: backport to v7.14.x Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Stefan Markmann <stefan@markmann.net> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
…`proxyWebSockets` defaults being set incorrectly (oauth2-proxy#3302) * fix: static upstream validation failure Signed-off-by: Sourav Agrawal <souravagr01@gmail.com> * fix: enforcement of defaults compatible with static upstreams Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Sourav Agrawal <souravagr01@gmail.com> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
chore(deps): update go1.25.6 and dependencies
Signed-off-by: Jan Larwig <jan@larwig.com>
release v7.14.1
)" (oauth2-proxy#3314) This reverts commit 9c61c49. The original fix broke nginx deployments using `auth_request`. When `/oauth2/auth` returns 302, nginx's `auth_request` module treats this as an internal error: [error] auth request unexpected status: 302 while sending to client nginx then returns **500 Internal Server Error** to the browser. > If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403, > the access is denied with the corresponding error code. Any other response code returned by the > subrequest is considered an error. https://nginx.org/en/docs/http/ngx_http_auth_request_module.html The nginx `auth_request` module has strict semantics (non-negotiable): | Subrequest status | nginx behavior | |---|---| | 2xx | Allow request | | 401 / 403 | Deny → trigger `error_page` | | **Any other status** | **Internal error → 500** | The `/oauth2/auth` endpoint is used as a **policy oracle** (yes/no decision), not as a browser-facing endpoint. It cannot return redirects. Any nginx deployment with: - `skip-provider-button=true` - Using `auth_request` directive Will receive 500 errors instead of the expected authentication flow. The correct fix for oauth2-proxy#334 is a **documentation update**, not a code change: ```nginx error_page 401 = @oauth2_signin; location @oauth2_signin { return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri; } ``` This keeps `/oauth2/auth` as a pure 401/2xx oracle and lets nginx perform the proper 302 redirect to the browser. - Original Issue: oauth2-proxy#334 - Regression introduced in PR: oauth2-proxy#3309 Signed-off-by: Stefan Markmann <stefan@markmann.net> Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: Jan Larwig <jan@larwig.com>
…andling (oauth2-proxy#3315) * docs(nginx): Clarify auth_request redirect pattern with named location Update the nginx integration documentation to recommend using a named location (@oauth2_signin) for the error_page directive instead of the previous 'error_page 401 =403' approach. The named location pattern ensures the browser receives a proper 302 redirect, which is required for --skip-provider-button=true to work correctly. The previous pattern (error_page 401 =403 /oauth2/sign_in) returned a 403 status with a Location header. Browsers do not auto-follow redirects on 403 responses, causing users to see a 'Found.' link instead of being automatically redirected to the IdP. Changes: - Updated main nginx example to use @oauth2_signin named location - Added 'Understanding the error_page redirect pattern' section - Added warning about the limitations of 'error_page 401 =403' - Updated local test environment (contrib/local-environment/nginx.conf) Refs: oauth2-proxy#334 Signed-off-by: Stefan Markmann <stefan@markmann.net> * docs: clarify browser vs API routes for nginx auth_request redirects Add new "Browser vs API Routes" section explaining: - Use 302 redirect to /oauth2/sign_in only for browser-facing routes - Use 401/403 without redirect for API/machine clients This ensures: - Browsers get a redirect and smooth login flow - API clients fail fast with appropriate HTTP status codes - /oauth2/auth remains a pure boolean oracle (2xx/401) Signed-off-by: Stefan Markmann <stefan@markmann.net> Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Stefan Markmann <stefan@markmann.net> Signed-off-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
* update to release version v7.14.2 * doc: changelog entry for v7.14.2 Signed-off-by: Jan Larwig <jan@larwig.com> * doc: fix nginx example docker-compose Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Jan Larwig <jan@larwig.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jan Larwig <jan@larwig.com>
…educe residual risk of command injection (oauth2-proxy#3337) Signed-off-by: Jan Larwig <jan@larwig.com>
Signed-off-by: Yann Lacroix <yann.lacroix@advans-group.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Motivation and Context
How Has This Been Tested?
Checklist: