Skip to content

Commit

Permalink
Merge pull request #1665 from oauth2-proxy/release-7.3.0
Browse files Browse the repository at this point in the history
Release 7.3.0
  • Loading branch information
JoelSpeed authored May 29, 2022
2 parents d3f428a + 4344610 commit db74661
Show file tree
Hide file tree
Showing 17 changed files with 2,145 additions and 4 deletions.
15 changes: 15 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,35 @@

## Release Highlights

## Important Notes

## Breaking Changes

## Changes since v7.3.0

# V7.3.0

## Release Highlights

- [#1361](https://github.com/oauth2-proxy/oauth2-proxy/pull/1541) PKCE Code Challenge Support - RFC-7636 (@braunsonm)
- At this time the `--code-challenge-method` flag can be used to enable it with the method of your choice.
- Parital support for OAuth2 Authorization Server Metadata for detecting code challenge methods (@braunsonm)
- A warning will be displayed when your provider advertises support for PKCE but you have not enabled it.
- Support for the ARMv8 and ppc64le architectures
- Configurable upstream request timeouts

## Important Notes

- [oauth2-proxy](https://quay.io/repository/oauth2-proxy/oauth2-proxy?tab=tags&tag=latest) separate image tags for each architecture is deprecated. Instead, images are cross compiled and pushed as the same tag for every platform.
If you are using an architecture specific tag (ex: v7.2.1-arm64) you should move to the generic tag instead (ex: v7.2.1 )
- [#1478](https://github.com/oauth2-proxy/oauth2-proxy/pull/1478) Changes the UID and GID of the runtime user to `65532`.
Which also is known as `nonroot` user in [distroless images](https://github.com/GoogleContainerTools/distroless).
- This release includes fixes for a number of CVEs, we recomend to upgrade as soon as possible.

## Breaking Changes

N/A

## Changes since v7.2.1

- [#1662](https://github.com/oauth2-proxy/oauth2-proxy/pull/1662) Discover signature algorithms from OIDC provider (@JoelSpeed)
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ Going forward, all images shall be available at `quay.io/oauth2-proxy/oauth2-pro

1. Choose how to deploy:

a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.2.1`)
a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.3.0`)

b. Build with `$ go get github.com/oauth2-proxy/oauth2-proxy/v7` which will put the binary in `$GOROOT/bin`

Expand Down
2 changes: 1 addition & 1 deletion contrib/local-environment/docker-compose-keycloak.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ services:

oauth2-proxy:
container_name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
command: --config /oauth2-proxy.cfg
hostname: oauth2-proxy
volumes:
Expand Down
2 changes: 1 addition & 1 deletion contrib/local-environment/docker-compose.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ version: '3.0'
services:
oauth2-proxy:
container_name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.1
image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0
command: --config /oauth2-proxy.cfg
ports:
- 4180:4180/tcp
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/installation.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ slug: /

1. Choose how to deploy:

a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.2.1`)
a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.3.0`)

b. Build with `$ go get github.com/oauth2-proxy/oauth2-proxy/v7` which will put the binary in `$GOPATH/bin`

Expand Down
11 changes: 11 additions & 0 deletions docs/versioned_docs/version-7.3.x/behaviour.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
id: behaviour
title: Behaviour
---

1. Any request passing through the proxy (and not matched by `--skip-auth-regex`) is checked for the proxy's session cookie (`--cookie-name`) (or, if allowed, a JWT token - see `--skip-jwt-bearer-tokens`).
2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with `Accept: application/json`, in which case 401 Unauthorized is returned)
3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)

Notice that the proxy also provides a number of useful [endpoints](features/endpoints.md).
49 changes: 49 additions & 0 deletions docs/versioned_docs/version-7.3.x/community/security.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
---
id: security
title: Security
---

:::note
OAuth2 Proxy is a community project.
Maintainers do not work on this project full time, and as such,
while we endeavour to respond to disclosures as quickly as possible,
this may take longer than in projects with corporate sponsorship.
:::

## Security Disclosures

:::important
If you believe you have found a vulnerability within OAuth2 Proxy or any of its
dependencies, please do NOT open an issue or PR on GitHub, please do NOT post
any details publicly.
:::

Security disclosures MUST be done in private.
If you have found an issue that you would like to bring to the attention of the
maintenance team for OAuth2 Proxy, please compose an email and send it to the
list of maintainers in our [MAINTAINERS](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/MAINTAINERS) file.

Please include as much detail as possible.
Ideally, your disclosure should include:
- A reproducible case that can be used to demonstrate the exploit
- How you discovered this vulnerability
- A potential fix for the issue (if you have thought of one)
- Versions affected (if not present in master)
- Your GitHub ID

### How will we respond to disclosures?

We use [GitHub Security Advisories](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories)
to privately discuss fixes for disclosed vulnerabilities.
If you include a GitHub ID with your disclosure we will add you as a collaborator
for the advisory so that you can join the discussion and validate any fixes
we may propose.

For minor issues and previously disclosed vulnerabilities (typically for
dependencies), we may use regular PRs for fixes and forego the security advisory.

Once a fix has been agreed upon, we will merge the fix and create a new release.
If we have multiple security issues in flight simultaneously, we may delay
merging fixes until all patches are ready.
We may also backport the fix to previous releases,
but this will be at the discretion of the maintainers.
Loading

0 comments on commit db74661

Please sign in to comment.