pomerium

mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 02:46:30 +02:00

Author	SHA1	Message	Date
Caleb Doxsey	43dfdc0700	authenticate: POC for supporting alternative OIDC redirect URLs	2022-01-26 08:21:46 -07:00
Caleb Doxsey	fd97561ab1	ping: identity and directory providers (#1975 ) * ping: add identity provider * ping: implement directory provider * ping, not onelogin * ping, not onelogin * escape path params	2021-03-10 16:25:49 -07:00
Caleb Doxsey	5e3aa91f23	authenticate: delay evaluation of OIDC provider (#1802 ) * authenticate: delay evaluation of OIDC provider * add additional error message * address comments	2021-01-26 09:20:56 -07:00
Caleb Doxsey	a85b3b04c1	store raw id token so it can be passed to the logout url (#1543 )	2020-10-26 10:20:23 -06:00
Caleb Doxsey	88580cf2fb	auth0: implement identity provider (#1470 ) * auth0: implement identity provider * add auth0 guide * fix naming	2020-09-29 09:06:58 -06:00
Caleb Doxsey	045c10edc6	authenticate: support reloading IDP settings (#1273 ) * identity: add name method to provider * authenticate: support dynamically loading the provider	2020-08-13 12:14:30 -06:00
Caleb Doxsey	dbd7f55b20	feature/databroker: user data and session refactor project (#926 ) * databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)	2020-06-19 07:52:44 -06:00
Bobby DeSimone	666fd6aa35	authenticate: save oauth2 tokens to cache (#698 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-05-18 17:10:10 -04:00
Bobby DeSimone	627a591824	identity: abstract identity providers by type (#560 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-23 10:36:24 -07:00
Ogundele Olumide	75f4dadad6	identity/provider: implement generic revoke method (#595 ) Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-21 14:40:33 -07:00
Ogundele Olumide	ae4204d42b	internal/identity: implement github provider support (#582 ) Co-authored-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-04-10 10:48:14 -07:00
Travis Groth	799d1ad162	Use Host:port for JWT audience generation Signed-off-by: Travis Groth <travisgroth@users.noreply.github.com> (#562)	2020-03-25 22:15:15 -04:00
Ogundele Olumide	3dd9188004	feat: gitlab oidc/ oauth provider (#518 ) - implement gitlab oauth support - add documentation for the gitlab support	2020-03-16 19:58:49 -07:00
Bobby DeSimone	ba14ea246d	*: remove import path comments (#545 ) - import path comments are obsoleted by the go.mod file's module statement Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-16 10:13:47 -07:00
Bobby DeSimone	6f4b26abe2	identity: support oidc UserInfo Response (#529 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2020-03-12 20:56:40 -07:00
Bobby DeSimone	0f6a9d7f1d	proxy: fix forward auth, request signing Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-25 14:29:52 -08:00
Bobby DeSimone	d3d60d1055	all: support route scoped sessions Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-11-06 17:54:15 -08:00
Bobby DeSimone	380d314404	authenticate: make service http only - Rename SessionState to State to avoid stutter. - Simplified option validation to use a wrapper function for base64 secrets. - Removed authenticates grpc code. - Abstracted logic to load and validate a user's authenticate session. - Removed instances of url.Parse in favor of urlutil's version. - proxy: replaces grpc refresh logic with forced deadline advancement. - internal/sessions: remove rest store; parse authorize header as part of session store. - proxy: refactor request signer - sessions: remove extend deadline (fixes #294) - remove AuthenticateInternalAddr - remove AuthenticateInternalAddrString - omit type tag.Key from declaration of vars TagKey* it will be inferred from the right-hand side - remove compatibility package xerrors - use cloned http.DefaultTransport as base transport	2019-09-04 16:27:08 -07:00
Bobby DeSimone	a962877ad4	config: fix url type regression (#253 ) Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-08-03 12:08:26 -07:00
Bobby DeSimone	2c1953b0ec	internal/config: pass urls by value Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-08-02 15:46:18 -07:00
Bobby DeSimone	5edfa7b03f	telemetry: add tracing - telemetry/tace: add traces throughout code - telemetry/metrics: nest metrics and trace under telemetry - telemetry/tace: add service name span to HTTPMetricsHandler. - telemetry/metrics: removed chain dependency middleware_tests. - telemetry/metrics: wrap and encapsulate variatic view registration. - telemetry/tace: add jaeger support for tracing. - cmd/pomerium: move `parseOptions` to internal/config. - cmd/pomerium: offload server handling to httputil and sub pkgs. - httputil: standardize creation/shutdown of http listeners. - httputil: prefer curve X25519 to P256 when negotiating TLS. - fileutil: use standardized Getw Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>	2019-07-24 09:20:16 -07:00
Bobby DeSimone	cf0f98536a	authenticate: programmatic access support - authenticate: added a token exchange api endpoint that converts an identity provider's JWT into a pomerium session. - internal/identity: authenticate now passes context. - internal/identity: removed extraneous GetSignInURL from okta. - internal/sessions: add rest store - update go.mod / go.sum depedencies. - docs: add programmatic examples in shell and python	2019-06-12 14:51:19 -07:00
Bobby DeSimone	66b4c2d3cd	authenticate/proxy: add user impersonation, refresh, dashboard (#123 ) proxy: Add user dashboard. [GH-123] proxy/authenticate: Add manual refresh of their session. [GH-73] authorize: Add administrator (super user) account support. [GH-110] internal/policy: Allow administrators to impersonate other users. [GH-110]	2019-05-26 12:33:00 -07:00
Bobby DeSimone	c13459bb88	authorize: add authorization (#59 ) * authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58	2019-03-07 12:47:07 -08:00
Bobby DeSimone	1187be2bf3	authenticator: support groups (#57 ) - authenticate/providers: add group support to azure - authenticate/providers: add group support to google - authenticate/providers: add group support to okta - authenticate/providers: add group support to onelogin - {authenticate/proxy}: change default cookie lifetime timeout to 14 hours - proxy: sign group membership - proxy: add group header - deployment: add CHANGELOG - deployment: fix where make release wasn’t including version	2019-02-28 19:34:22 -08:00

25 commits