Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

Proposal for Official Fork #628

Open
alexandre-leites opened this issue Jul 10, 2018 · 61 comments
Open

Proposal for Official Fork #628

alexandre-leites opened this issue Jul 10, 2018 · 61 comments

Comments

@alexandre-leites
Copy link

alexandre-leites commented Jul 10, 2018

Hi,

As everyone here can see, the project is almost abandoned.

I believe someone or preferable a group of people fluent in Go lang should create an 'official' fork of the project so the community can contribute with PRs which won't be waiting forever at "Pull Requests" tab.

I'm not fluent in Go but I can help with docker images or something like that if needed.

====== Edit =====

According to @russtacular comment on 29 Aug 2018 this project is oficially discontinued. Therefore, while the community is discussing where it will be 'oficially' forked and supported, there are several projects already taking place as a migration path:

https://github.com/pusher/oauth2_proxy (see #628 (comment))
https://github.com/buzzfeed/sso
https://github.com/openshift/oauth-proxy
https://github.com/ploxiln/oauth2_proxy (see #628 (comment) and #628 (comment))

Also, there is a discussion on gofrs gofrs/help-requests#32 (comment)

@eforbus
Copy link

eforbus commented Jul 11, 2018

Agree. I think many of us would love to see some of these PRs get merged. Like it or not this is one of the simpler to use solutions for integration of OAuth2 or OIDC providers on top of Kubernetes.

@andreacassioli
Copy link

It is definitely a pity the project is kind of dead. Looks like a lot of people use it though. There is an interesting fork

https://github.com/openshift/oauth-proxy

but specialized on OpenShift.

If I were proficient in Go I would love to help.

Would be nice to know the maintainers opinion.

@ermik
Copy link

ermik commented Jul 18, 2018

Let's find a well-known OSS org on github that could manage having such fork. Security repos shouldn't be on any one personal account. It is important though to have @bitly's support and perhaps have their team add the official fork's releases as a tag on dockerhub.

@alexandre-leites
Copy link
Author

I agree with you @ermik. Finding an OSS organization which can take care of the project and assign people (not just one) which can approve PRs and manage the repository.

@bhack
Copy link

bhack commented Jul 22, 2018

This is used quite often with K8S. /cc @cncf if it has any suggestion of what group could take care of this.

@bhack
Copy link

bhack commented Jul 31, 2018

/cc @jbeda Do you know someone that could be interested to maintain this project active in a fork?

@tanuck
Copy link
Contributor

tanuck commented Aug 6, 2018

Have @bitly stopped using this, hence the staleness of the project? If so it would be interesting to hear what they use instead.

@ermik
Copy link

ermik commented Aug 7, 2018

Everyone at bitly might be just drones and we are a part of their simulation.

@skwashd
Copy link

skwashd commented Aug 8, 2018

I have been in touch with people at bitly about the current state of the project. I will post another update when I have more information.

@mohammed90
Copy link

If you're going for a hard fork, consider https://github.com/gofrs .

@ajcollett
Copy link

I too would like to use this! I recently started using the free Access service from CloudFlare. I really like the concept. So being able to do the same in a stable way with NGINX would be amazing...

@skwashd
Copy link

skwashd commented Aug 24, 2018

I have exchanged emails with the CEO of @bitly. I thought we were going to get this resolved. Unfortunately once it was passed over to an engineer it died.

I think it is pretty clear that this project is no longer a priority for bitly. For whatever reason they are unwilling to pass it over to new stewards.

I propose the following actions:

  • identify a new home for the project
  • mirror the repo in new org
  • update the docs
  • review all outstanding issues/PR and duplicate them in the new project. Add comments on the bitly version with a link to the new issue
  • map out what a ???/oauth_proxy 1.0 (or 3.0) release would look like

@alexandre-leites
Copy link
Author

@skwashd

That's sad to hear.

Have you guys heard of https://github.com/buzzfeed/sso ? It seems to be built on top of OAuth2 proxy with more features. I'll try it out soon...

@logicfox
Copy link

There are many large companies with significant OSS presence that have forked this project and have pending PRs awaiting merge. Can one of these companies please come forward to adopt this project?

There are many features that we require, which are stuck in unreviewed PRs. We are manually merging into our private forks, which is not sustainable!

@mgoldsborough
Copy link

I'm not fluent in Go so I've been working on a node.js port. Would others here be interested in this?

@ccojocar
Copy link

I will be interested to contributed to the maintenance of this project, since we built recently the https://github.com/jenkins-x/sso-operator on top of it and have a certain understanding of the code base.

I like what @skwashd is proposing. It seems that sso-proxy org is still available. Do you have any other suggestions? If you agree, we can move on with this org.

@ermik
Copy link

ermik commented Aug 27, 2018

Could we try reaching out to BuzzFeed for comment (pun intended)? Their sso product seems well-established and a merge path would be a better choice for this repo — and introducing more flexibility (more auth providers, better config, k8s-ready, etc.) to their project could be a symbiotic thing. _ @ccojocar pointed out below that it's not a derivative.

If there are not takers by Oct 1st — let me add to @skwashd's list — we need to identify a group of maintainers that can commit (ok, this pun is just unavoidable) to working on newly forked org/repo for the near future while we try to build a community around it.

In my opinion, here is a minimum of people required for this repo to continue being of the most wonderful tools out there:

  • security expert with substantial credentials
  • cloud-native expert to keep things in perspective
  • networking specialist to push this to the cutting edge
  • engineering manager to keep things going

feel free to adjust.

Please volunteer yourselves with a brief description of your specialty, and please start reaching out to people to see if we have the support we need.

@ermik
Copy link

ermik commented Aug 27, 2018

cc/ @ohaiwalt — you pointed me to this repo and I'll never be more grateful; do you have any thoughts on the matter?

@ccojocar
Copy link

@ermik the buzfeed/sso does not seem to be depend on this proxy https://github.com/buzzfeed/sso/blob/master/Godeps. I am not sure, if it makes sense to couple the two projects.

This project has a well established user base in the Kubernetes community. It must continue to be maintained.

I would say, the simplest way to move forward, it is to create a new organisation with a group of maintainers, and then ask bitly to transfer the ownership of this repo to that organisation.

@skwashd Do you think, would this work onbitly side?

@tanuck
Copy link
Contributor

tanuck commented Aug 28, 2018

If we can't get any response from bitly engineers then it may not be possible to move the repo.

@ccojocar
Copy link

Please could someone from bitly provide an official statement to this issue? I am mentioning all current members of bitly organisation. Sorry for noise!

@apriendeau @hlhendy @jctbitly @jehiah @kpurdon @lrmay @markrechler @mrwoof @russtacular @sioanis @tpherndon

@skwashd
Copy link

skwashd commented Aug 28, 2018

I tried a couple of times to reach the company via twitter. (first attempt and second attempt). The second one lead to a short email exchange with the CEO. It was passed onto @jehiah, who never responded.

Bitly don't owe us anything. They are free to throw their code over the wall and do nothing else. That's how open source works. That said, it is disappointing that they won't engage with the community that they built. Priorities change, life moves on, we accept that. It would have been nice if they either came out and said why the tumbleweed is blowing around the project or worked with interested members of the community to move it to a new home. Sadly there appears to be no interest in either option.

I would be happy to play a role in any fork, but I don't feel like I have the time nor the skills to provide the technical leadership. Without leadership we will remain an unruly mob moving pitch forks.

With all this in mind I created 2bitproxy/oauth2_proxy. I picked the name as it includes bit as a reference to the bitly heritage and a tongue in cheek reference the negative "two bit". (It takes under a minute to rename it with sed).

I believe the first 3 points from the plan I posted last week have been resolved. Who wants to help with the remaining 2?

@kpurdon
Copy link

kpurdon commented Aug 28, 2018

Hi all ... I've reached out internally here at Bitly and will make sure we get a response here soon. Just wanted to drop a line here so you all know we are listening.

@ermik
Copy link

ermik commented Aug 28, 2018

@skwashd It's great we have a home for the time being — thanks for stashing away a nice org name! I think you have it right: we can work on improving the project while this gets resolved. A certain breathing room needs to be maintained for @bitly and other community members, as well as possible maintainers, to chime in to this conversation.

@kpurdon Great news! I don't presume to speak for everyone, but I would say the key thing to resolve here is a managerial one. There is no need for a fork if and only if the team at @bitly is dedicated to working towards granting some community members merge permissions and working towards reinforcing the community support itself for this repository.

@russtacular
Copy link

Hello all,

Sorry it's taken so long to respond—it's often difficult to acknowledge that you can no longer maintain something that you've built and nurtured for so many years.

While this project has served us well internally for a while, we haven't been able to find someone on our team to push it forward and shepherd community contributions that weren't part of our roadmap. We've also since moved on to other priorities and are even investigating switching to buzzfeed/sso since it's a newer fork of oauth2_proxy.

As a result, we've decided to make this read-only and archive this project at the end of September. We're happy to update the readme to point people to newer, maintained forks, so please update this issue (or start a new one) with possible successors in order to make this transition as easy as possible.

@cilindrox
Copy link

Thanks for the update @russtacular

@adamdecaf
Copy link

adamdecaf commented Dec 6, 2018

SGTM. Please ping on this issue as updates happen.

Gofrs would be another option and I can help get it moved over there.

@skwashd
Copy link

skwashd commented Dec 7, 2018

I am happy to transfer the organisation to someone he will run with the fork. As mentioned above we have decided to use an alternative product for our use cases. While I am interested in helping out it will all be in my limited spare time. My changes were a change I made to support github teams properly (PR #613) and some "rebranding".

My email address is on my profile. It's probably easier to discuss things there. If you're planning to pull an npm event-stream stunt, don't waste your time emailing me.

@adamdecaf
Copy link

I've created a Gofrs issue to adopt the project and I'll volunteer time to work and improve the project.

@adamdecaf
Copy link

Could we hand out github issue access to a few folks? There are lots of issues and PR's that could be closed.

Example: (Adding a Dockerfile): #671, #460, #372, and #86

@ermik
Copy link

ermik commented Dec 11, 2018

@xalexslx Could you update the original issue above with the list of forks to give people a migration path whilst community decides the fate of this?

https://github.com/buzzfeed/sso
https://github.com/openshift/oauth-proxy
https://github.com/pusher/oauth2_proxy

Possibly going to be on gofrs gofrs/help-requests#32

@alexandre-leites
Copy link
Author

@ermik

Original issue updated with the links and official comment of russtacular regarding this project.

@ploxiln
Copy link
Contributor

ploxiln commented Dec 21, 2018

Just by the way, if anyone needs a recent release while waiting for the pusher fork to be ready, I've incorporated the fsnotify/hmacauth import fixes on top of latest master, merged 8 other PRs from this repo (incl. google/github/gitlab groups enhancements, redirect-domain-whitelist, other bits), and made a couple of releases with decent changelogs and binary builds at my fork: https://github.com/ploxiln/oauth2_proxy/releases

@danihodovic
Copy link

Thanks @ploxiln ! Could you push an image to Docker hub?

@ploxiln
Copy link
Contributor

ploxiln commented Dec 22, 2018

EDITED (I don't want to spam this issue too much)

Fixed link to my fork's docker image info: https://hub.docker.com/r/ploxiln/oauth2_proxy (it's also mentioned in the README at my fork)

Further discussion of my fork should probably go in issues at my fork. Also note that the "pusher" fork will probably soon be the central/community repo, particularly when it transitions to CNCF.

@JoelSpeed
Copy link
Contributor

For those interested I have an update on the progress of the Pusher fork.

  • I have got to the stage where I am happy with the migration work (although if anyone would like to review the changes I have made please feel free Migration from Bitly to Pusher oauth2-proxy/oauth2-proxy#7)
  • Once the migration work has been merged I will create a v3.0.0 release on the Pusher fork to distinguish where the migration was made and start accepting functionality PRs no top of this release
  • I am still on the look-out to add some maintainers to the repository. For the moment all opened PRs will request the pusher/cloud-team for review but if anyone else is interested in being given review/merge permissions, please email me joel[at]pusher.com
  • I have created a new PR (Add archival notice with links to continued projects #684) to add an archival notice to this repo which notes the buzzfeed, openshift and pusher forks, this will need reviewing and hopefully merging by someone from bitly (Could @russtacular please help with this?)
  • I spoke with several members of the CNCF TOC before christmas about the project and they agree that the project could become a sandbox project with them but some work will need to be done before this can happen. In particular it will need a small amount of co-operation from Bitly so I'd like to initiate a conversation with someone from Bitly about whether they support the idea of transferring the project to the CNCF before I put any further effort into this, @russtacular could you confirm who would be best to talk to about this?

@JoelSpeed
Copy link
Contributor

For interested parties, the new v3.0.0 release has now been merged and I will now start working on migrating PRs and issues over to the Pusher fork as and when I have time

https://github.com/pusher/oauth2_proxy/releases/tag/v3.0.0

@adamdecaf
Copy link

Thanks! Did you see the v3.0.0 image has a few known vulnerable libraries or alerts? The quay page 404's for me, but maybe they're visible to you?

https://quay.io/repository/pusher/oauth2_proxy?tag=latest&tab=tags

@tlawrie
Copy link

tlawrie commented Jan 15, 2019

For interested parties, the new v3.0.0 release has now been merged and I will now start working on migrating PRs and issues over to the Pusher fork as and when I have time

https://github.com/pusher/oauth2_proxy/releases/tag/v3.0.0

@JoelSpeed Great work! Looking forward to switching to the Pusher version. Do you know when you will merge in the changes from your fork such as OIDC session refresh?

@JoelSpeed
Copy link
Contributor

Thanks! Did you see the v3.0.0 image has a few known vulnerable libraries or alerts? The quay page 404's for me, but maybe they're visible to you?

Noted, they are also 404'ing for me so I will try and look into this, I suspect they are vulnerabilities in the debian base image we are using

@JoelSpeed Great work! Looking forward to switching to the Pusher version. Do you know when you will merge in the changes from your fork such as OIDC session refresh?

Working on that this week! See oauth2-proxy/oauth2-proxy#14

@desimone
Copy link
Contributor

I recently released pomerium. Pomerium may be a good fit for new users, or those okay with significant breaking changes from oauth2_proxy.

Like oauth2_proxy, pomerium is a reverse proxy but has additional goals of supporting dynamic policy, and identity/device aware access control similar to BeyondCorp.

@fnkr
Copy link

fnkr commented Jan 21, 2019

@desimone Hi, Pomerium looks nice, especially in terms of code quality and structure. I do miss a few features (e.g. a provider for GitLab) but would be willing to contribute them. Is there a Gitter/Slack/similar chat to discuss things?

@desimone
Copy link
Contributor

@fnkr thank you for your kind words!

If you don't mind creating an issue in our repo, I'm sure we can address both adding support for GitLab and finding a good place to discuss things.

@apriendeau
Copy link
Contributor

Hey Everyone! There are several good forks out there. We recommend looking at them and using them! I have listed out the ones that I found in this list and will add them to the README redirecting people there.

pomerium
Ploxlin oauth2_proxy fork
Pusher oauth2_proxy fork

@JoelSpeed
Copy link
Contributor

@apriendeau I already have a PR open to add a notice that this repo is archived and list maintained forks, do you have the ability to review it? #684

@apriendeau
Copy link
Contributor

@JoelSpeed Thanks for saving me the effort! It has been merged and I am going to lock this conversation 👍

@bitly bitly locked as resolved and limited conversation to collaborators Jan 23, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

No branches or pull requests