Release Highlights
- Major internal improvements to provider interfaces
- Added group authorization support
- Improved support for external auth for Traefik
- Introduced alpha configuration format to allow users to trial new configuration format and alpha features
- GitLab provider now supports restricting to members of a project
- Keycloak provider now supports restricting users to members of a set of groups
- (Alpha) Flexible header configuration allowing user defined mapping of session claims to header values
Important Notes
- GHSA-4mf2-f3wh-gvf2 The whitelist domain feature has been updated to fix a vulnerability that was identified, please see the linked advisory for details
- #964 Redirect URL generation will attempt secondary strategies
in the priority chain if any fail theIsValidRedirect
security check. Previously any failures fell back to/
. - #953 Keycloak will now use
--profile-url
if set for the userinfo endpoint
instead of--validate-url
.--validate-url
will still work for backwards compatibility. - #957 To use X-Forwarded-{Proto,Host,Uri} on redirect detection,
--reverse-proxy
must betrue
. - #936
--user-id-claim
option is deprecated and replaced by--oidc-email-claim
- #630 Gitlab projects needs a Gitlab application with the extra
read_api
enabled - #849
/oauth2/auth
allowed_groups
querystring parameter can be paired with theallowed-groups
configuration option.- The
allowed_groups
querystring parameter can specify multiple comma delimited groups. - In this scenario, the user must have a group (from their multiple groups) present in both lists to not get a 401 or 403 response code.
- Example:
- OAuth2-Proxy globally sets the
allowed_groups
asengineering
. - An application using Kubernetes ingress uses the
/oauth2/auth
endpoint withallowed_groups
querystring set tobackend
. - A user must have a session with the groups
["engineering", "backend"]
to pass authorization. - Another user with the groups
["engineering", "frontend"]
would fail the querystring authorization portion.
- OAuth2-Proxy globally sets the
- The
- #905 Existing sessions from v6.0.0 or earlier are no longer valid. They will trigger a reauthentication.
- #826
skip-auth-strip-headers
now applies to all requests, not just those where authentication would be skipped. - #797 The behavior of the Google provider Groups restriction changes with this
- Either
--google-group
or the new--allowed-group
will work for Google now (--google-group
will be used if both are set) - Group membership lists will be passed to the backend with the
X-Forwarded-Groups
header - If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.
- Previously, group membership was only checked on session creation and refresh.
- Either
- #789
--skip-auth-route
is (almost) backwards compatible with--skip-auth-regex
- We are marking
--skip-auth-regex
as DEPRECATED and will remove it in the next major version. - If your regex contains an
=
and you want it for all methods, you will need to add a leading=
(this is the area where--skip-auth-regex
doesn't port perfectly)
- We are marking
- #575 Sessions from v5.1.1 or earlier will no longer validate since they were not signed with SHA1.
- Sessions from v6.0.0 or later had a graceful conversion to SHA256 that resulted in no reauthentication
- Upgrading from v5.1.1 or earlier will result in a reauthentication
- #616 Ensure you have configured oauth2-proxy to use the
groups
scope.- The user may be logged out initially as they may not currently have the
groups
claim however after going back through login process wil be authenticated.
- The user may be logged out initially as they may not currently have the
- #839 Enables complex data structures for group claim entries, which are output as Json by default.
Breaking Changes
- #964
--reverse-proxy
must be true to trustX-Forwarded-*
headers as canonical.
These are used throughout the application in redirect URLs, cookie domains and host logging logic. These are the headers:X-Forwarded-Proto
instead ofreq.URL.Scheme
X-Forwarded-Host
instead ofreq.Host
X-Forwarded-Uri
instead ofreq.URL.RequestURI()
- #953 In config files & envvar configs,
keycloak_group
is now the pluralkeycloak_groups
.
Flag configs are still--keycloak-group
but it can be passed multiple times. - #911 Specifying a non-existent provider will cause OAuth2-Proxy to fail on startup instead of defaulting to "google".
- #797 Security changes to Google provider group authorization flow
- If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.
- Previously, group membership was only checked on session creation and refresh.
- If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.
- #722 When a Redis session store is configured, OAuth2-Proxy will fail to start up unless connection and health checks to Redis pass
- #800 Fix import path for v7. The import path has changed to support the go get installation.
- You can now
go get github.com/oauth2-proxy/oauth2-proxy/v7
to get the latestv7
version of OAuth2 Proxy - Import paths for package are now under
v7
, eggithub.com/oauth2-proxy/oauth2-proxy/v7/pkg/<module>
- You can now
- #753 A bug in the Azure provider prevented it from properly passing the configured protected
--resource
via the login url. If this option was used in the past, behavior will change with this release as it will
affect the tokens returned by Azure. In the past, the tokens were always forhttps://graph.microsoft.com
(the default)
and will now be for the configured resource (if it exists, otherwise it will run into errors) - #754 The Azure provider now has token refresh functionality implemented. This means that there won't
be any redirects in the browser anymore when tokens expire, but instead a token refresh is initiated
in the background, which leads to new tokens being returned in the cookies.- Please note that
--cookie-refresh
must be 0 (the default) or equal to the token lifespan configured in Azure AD to make
Azure token refresh reliable. Setting this value to 0 means that it relies on the provider implementation
to decide if a refresh is required.
- Please note that
Changes since v6.1.1
- GHSA-4mf2-f3wh-gvf2 Subdomain checking of whitelisted domains could allow unintended redirects (@NickMeves)
- #1002 Use logger for logging refreshed session in azure and gitlab provider (@Bibob7)
- #799 Use comma separated multiple values for header (@lilida)
- #903 Add docs and generated reference for Alpha configuration (@JoelSpeed)
- #995 Add Security Policy (@JoelSpeed)
- #964 Require
--reverse-proxy
true to trustX-Forwareded-*
type headers (@NickMeves) - #970 Fix joined cookie name for those containing underline in the suffix (@peppered)
- #953 Migrate Keycloak to EnrichSession & support multiple groups for authorization (@NickMeves)
- #957 Use X-Forwarded-{Proto,Host,Uri} on redirect as last resort (@linuxgemini)
- #630 Add support for Gitlab project based authentication (@factorysh)
- #907 Introduce alpha configuration option to enable testing of structured configuration (@JoelSpeed)
- #938 Cleanup missed provider renaming refactor methods (@NickMeves)
- #816 (via #936) Support non-list group claims (@loafoe)
- #936 Refactor OIDC Provider and support groups from Profile URL (@NickMeves)
- #869 Streamline provider interface method names and signatures (@NickMeves)
- #849 Support group authorization on
oauth2/auth
endpoint viaallowed_groups
querystring (@NickMeves) - #925 Fix basic auth legacy header conversion (@JoelSpeed)
- #916 Add AlphaOptions struct to prepare for alpha config loading (@JoelSpeed)
- #923 Support TLS 1.3 (@aajisaka)
- #918 Fix log header output (@JoelSpeed)
- #911 Validate provider type on startup. (@arcivanov)
- #906 Set up v6.1.x versioned documentation as default documentation (@JoelSpeed)
- #905 Remove v5 legacy sessions support (@NickMeves)
- #904 Set
skip-auth-strip-headers
totrue
by default (@NickMeves) - #826 Integrate new header injectors into project (@JoelSpeed)
- #797 Create universal Authorization behavior across providers (@NickMeves)
- #898 Migrate documentation to Docusaurus (@JoelSpeed)
- #754 Azure token refresh (@codablock)
- #850 Increase session fields in
/oauth2/userinfo
endpoint (@NickMeves) - #825 Fix code coverage reporting on GitHub actions(@JoelSpeed)
- #796 Deprecate GetUserName & GetEmailAdress for EnrichSessionState (@NickMeves)
- #705 Add generic Header injectors for upstream request and response headers (@JoelSpeed)
- #753 Pass resource parameter in login url (@codablock)
- #789 Add
--skip-auth-route
configuration option forMETHOD=pathRegex
based allowlists (@NickMeves) - #575 Stop accepting legacy SHA1 signed cookies (@NickMeves)
- #722 Validate Redis configuration options at startup (@NickMeves)
- #791 Remove GetPreferredUsername method from provider interface (@NickMeves)
- #764 Document bcrypt encryption for htpasswd (and hide SHA) (@lentzi90)
- #778 Use display-htpasswd-form flag
- #616 Add support to ensure user belongs in required groups when using the OIDC provider (@stefansedich)
- #800 Fix import path for v7 (@johejo)
- #783 Update Go to 1.15 (@johejo)
- #813 Fix build (@thiagocaiubi)
- #801 Update go-redis/redis to v8 (@johejo)
- #750 ci: Migrate to Github Actions (@shinebayar-g)
- #829 Rename test directory to testdata (@johejo)
- #819 Improve CI (@johejo)
- #989 Adapt isAjax to support mimetype lists (@rassie)
- #1013 Update alpine version to 3.13 (@nishanth-pinnapareddy)