github oauth2-proxy/oauth2-proxy v6.0.0
on GitHub

latest releases: v7.6.0, v7.5.1, v7.5.0...
3 years ago

Release Highlights

  • Migrated to an independent GitHub organisation
  • Added local test environment examples using docker-compose and kind
  • Error pages will now be rendered when upstream connections fail
  • Non-Existent options in config files will now return errors on startup
  • Sessions are now always encrypted, independent of configuration

Important Notes

  • (Security) Fix for open redirect vulnerability.
    • More invalid redirects that lead to open-redirects were reported
    • An extensive test suite has been added to prevent future regressions
  • #453 Responses to endpoints with a proxy prefix will now return headers for preventing browser caching.

Breaking Changes

  • #464 Migration from Pusher to independent org may have introduced breaking changes for your environment.
    • See the changes listed below for PR #464 for full details
    • Binaries renamed from oauth2_proxy to oauth2-proxy
  • #440 Switch Azure AD Graph API to Microsoft Graph API
    • The Azure AD Graph API has been deprecated and is being replaced by the Microsoft Graph API.
      If your application relies on the access token being passed to it to access the Azure AD Graph API, you should migrate your application to use the Microsoft Graph API.
      Existing behaviour can be retained by setting -resource=https://graph.windows.net.
  • #484 Configuration loading has been replaced with Viper and PFlag
    • Flags now require a -- prefix before the option
    • Previously flags allowed either - or -- to prefix the option name
    • Eg -provider must now be --provider
  • #487 Switch flags to StringSlice instead of StringArray
    • Options that take multiple arguments now split strings on commas if present
    • Eg --foo=a,b,c,d would result in the values a, b, c and d instead of a single a,b,c,d value as before
  • #535 Drop support for pre v3.1 cookies
    • The encoding for session cookies was changed starting in v3.1.0, support for the previous encoding is now dropped
    • If you are upgrading from a version earlier than this, please upgrade via a version between v3.1.0 and v5.1.1
  • #537 Drop Fallback to Email if User not set
    • Previously, when a session was loaded, if the User was not set, it would be replaced by the Email.
      This behaviour was inconsistent as it required the session to be stored and then loaded to function properly.
    • This behaviour has now been removed and the User field will remain empty if it was not set when the session was saved.
    • In some scenarios X-Forwarded-User will now be empty. Use X-Forwarded-Email instead.
    • In some scenarios, this may break setting Basic Auth on upstream or responses.
      Use --prefer-email-to-user to restore falling back to the Email in these cases.
  • #556 Remove unintentional auto-padding of secrets that were too short
    • Previously, after cookie-secrets were opportunistically base64 decoded to raw bytes,
      they were padded to have a length divisible by 4.
    • This led to wrong sized secrets being valid AES lengths of 16, 24, or 32 bytes. Or it led to confusing errors
      reporting an invalid length of 20 or 28 when the user input cookie-secret was not that length.
    • Now we will only base64 decode a cookie-secret to raw bytes if it is 16, 24, or 32 bytes long. Otherwise, we will convert
      the direct cookie-secret to bytes without silent padding added.
  • #412/#559 Allow multiple cookie domains to be specified
    • Multiple cookie domains may now be configured. The longest domain that matches will be used.
    • The config options cookie_domain is now cookie_domains
    • The environment variable OAUTH2_PROXY_COOKIE_DOMAIN is now OAUTH2_PROXY_COOKIE_DOMAINS
  • #414 Always encrypt sessions regardless of config
    • Previously, sessions were encrypted only when certain options were configured.
      This lead to confusion and misconfiguration as it was not obvious when a session should be encrypted.
    • Cookie Secrets must now be 16, 24 or 32 bytes.
    • If you need to change your secret, this will force users to reauthenticate.
  • #548 Separate logging options out of main options structure
    • Fixes an inconsistency in the --exclude-logging-paths option by renaming it to --exclude-logging-option.
    • This flag may now be given multiple times as with other list options
    • This flag also accepts comma separated values
  • #639 Change how gitlab-group is parsed on options
    • Previously, the flag gitlab-group used comma seperated values, while the config option used space seperated values.
    • This fixes the config value to use slices internally.
    • The config option gitlab_group is now gitlab_groups
    • The environment variable OAUTH2_PROXY_GITLAB_GROUP is now OAUTH2_PROXY_GITLAB_GROUPS

Changes since v5.1.1

  • GHSA-5m6c-jp6f-2vcv New OpenRedirect cases have been found (@JoelSpeed)
  • #639 Change how gitlab-group is parsed on options (@linuxgemini)
  • #615 Kubernetes example based on Kind cluster and Nginx ingress (@EvgeniGordeev)
  • #596 Validate Bearer IDTokens in headers with correct provider/extra JWT Verifier (@NickMeves)
  • #620 Add HealthCheck middleware (@JoelSpeed)
  • #597 Don't log invalid redirect if redirect is empty (@JoelSpeed)
  • #604 Add Keycloak local testing environment (@EvgeniGordeev)
  • #539 Refactor encryption ciphers and add AES-GCM support (@NickMeves)
  • #601 Ensure decrypted user/email are valid UTF8 (@JoelSpeed)
  • #560 Fallback to UserInfo is User ID claim not present (@JoelSpeed)
  • #598 acr_values no longer sent to IdP when empty (@ScottGuymer)
  • #548 Separate logging options out of main options structure (@JoelSpeed)
  • #567 Allow health/ping request to be identified via User-Agent (@chkohner)
  • #536 Improvements to Session State code (@JoelSpeed)
  • #573 Properly parse redis urls for cluster and sentinel connections (@amnay-mo)
  • #574 render error page on 502 proxy status (@amnay-mo)
  • #559 Rename cookie-domain config to cookie-domains (@JoelSpeed)
  • #569 Updated autocompletion for -- long options. (@Izzette)
  • #489 Move Options and Validation to separate packages (@JoelSpeed)
  • #556 Remove unintentional auto-padding of secrets that were too short (@NickMeves)
  • #538 Refactor sessions/utils.go functionality to other areas (@NickMeves)
  • #503 Implements --real-client-ip-header option to select the header from which to obtain a proxied client's IP (@Izzette)
  • #529 Add local test environments for testing changes and new features (@JoelSpeed)
  • #537 Drop Fallback to Email if User not set (@JoelSpeed)
  • #535 Drop support for pre v3.1 cookies (@JoelSpeed)
  • #533 Set up code coverage within Travis for Code Climate (@JoelSpeed)
  • #514 Add basic string functions to templates (@n-i-x)
  • #524 Sign cookies with SHA256 (@NickMeves)
  • #515 Drop configure script in favour of native Makefile env and checks (@JoelSpeed)
  • #519 Support context in providers (@johejo)
  • #487 Switch flags to PFlag to remove StringArray (@JoelSpeed)
  • #484 Replace configuration loading with Viper (@JoelSpeed)
  • #499 Add -user-id-claim to support generic claims in addition to email (@holyjak)
  • #486 Add new linters (@johejo)
  • #440 Switch Azure AD Graph API to Microsoft Graph API (@johejo)
  • #453 Prevent browser caching during auth flow (@johejo)
  • #467 Allow OIDC issuer verification to be skipped (@chkohner)
  • #481 Update Okta docs (@trevorbox)
  • #474 Always log hasMember request error object (@jbielick)
  • #468 Implement graceful shutdown and propagate request context (@johejo)
  • #464 Migrate to oauth2-proxy/oauth2-proxy (@JoelSpeed)
    • Project renamed from pusher/oauth2_proxy to oauth2-proxy
    • Move Go import path from github.com/pusher/oauth2_proxy to github.com/oauth2-proxy/oauth2-proxy
    • Remove Pusher Cloud Team from CODEOWNERS
    • Release images moved to quay.io/oauth2-proxy/oauth2-proxy
    • Binaries renamed from oauth2_proxy to oauth2-proxy
  • #432 Update ruby dependencies for documentation (@theobarberbany)
  • #471 Add logging in case of invalid redirects (@gargath)
  • #462 Allow HTML in banner message (@eritikass)
  • #412 Allow multiple cookie domains to be specified (@edahlseng)
  • #413 Add -set-basic-auth param to set the Basic Authorization header for upstreams (@morarucostel)
  • #483 Warn users when session cookies are split (@JoelSpeed)
  • #488 Set-Basic-Auth should default to false (@JoelSpeed)
  • #494 Upstream websockets TLS certificate validation now depends on ssl-upstream-insecure-skip-verify (@yaroslavros)
  • #497 Restrict access using Github collaborators (@jsclayton)
  • #414 Always encrypt sessions regardless of config (@ti-mo)
  • #421 Allow logins by usernames even if they do not belong to the specified org and team or collaborators (@yyoshiki41)
Check out latest releases or
releases around oauth2-proxy/oauth2-proxy v6.0.0

Don't miss a new oauth2-proxy release

NewReleases is sending notifications on new releases.

Get notifications