-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Improve support for AAD Auth proxying w/ group authz support #347
base: master
Are you sure you want to change the base?
Conversation
ETA? |
Sorry, I don't follow. We've been using this internally for a bit now. Does it need something to be ready for merge? |
This is to permit us to store a user's Groups in a pipe-delimited list without fear of bad splits or having to reassemble it in transit.
* Add unittests for group filtering (Azure)
FYI, I went live with this and it turns out that having |
@bdwyertech, thanks for the report. I'm unfortunately no longer in a position to test this, but did you have any success with different values for I'm surprised to hear you had that result. I don't believe that everyone was an admin in my former team. Hopefully it's a simple fix. Do let @pasoroki know if you're able to do any testing, as he may be interested in updating this PR. :) |
I will definitely update the PR. |
Fix state option
Code cleanup
This PR is updated:
The |
providers/google_test.go
Outdated
@@ -110,16 +110,16 @@ func TestGoogleProviderValidateGroup(t *testing.T) { | |||
p.GroupValidator = func(email string) bool { | |||
return email == "michael.bland@gsa.gov" | |||
} | |||
assert.Equal(t, true, p.ValidateGroup("michael.bland@gsa.gov")) | |||
assert.Equal(t, true, p.ValidateGroup(&SessionState{Email:"michael.bland@gsa.gov"})) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test.sh
is currently stopping due "go fmt" not liking this line which you changed
Fix for google_test validation
The test panic is:
I think I that's on this line: log.Printf("OAuthProxy configured for %s Client ID: %s", opts.provider.Data().ProviderName, opts.ClientID) so You are making a significant change to how providers work in this PR: making the provider no longer default to "google" but instead return Command-line common-use-case compatibility-breaking changes should not be bundled with other changes like group handling enhancements, and is probably enough to prevent this from being merged. On the other hand, while this project/repo is not "dead", it is not clear what might be merged next, or in how many weeks or months. It looks like any of the changes you want to get in might be a bit too big to get into the next round, not really because they're "bad", but just because review capacity of the maintainers is low. (I'm not a maintainer.) If this PR is just useful as a common resource for multiple users of this variant/functionality, that's quite fine, you can ignore me :) |
Fixing issues that caused test failures
Sorry @kerma I don't work on that |
@pasoroki would you accept a PR with that functionality ? |
@kerma sure, just don't forget to cover code with tests |
1 similar comment
@kerma sure, just don't forget to cover code with tests |
When might this be merged? Groups support is really the only path forward when it comes to Azure provider support for companies larger than ~10 individuals. |
Merge? We really need this feature. Thanks |
This looks like exactly what we need - any idea when it can get merged (and released)? |
I've played with this PR and haven't been able to get Azure Roles or Groups passed through. Does anyone have docs on the Azure set-up side of things? |
@dekimsey you will have to use v2.0 api endpoint and scope: profile I guess |
@lukasmrtvy Thanks, that made me look into this deeper. I haven't been able to see/get roles but I did get groups working. It was a number of things some PEBKAC others permissions issues with the Graph API (user_list_memberof)[https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list_memberof]. WRT to the PR itself, I did find that a large group list will cause it to go into loop hitting the azure cookie /oauth2/callback repeatedly as the Cookie maximum size is exceeded and unable to save in the browser. To whom whoever decides to merge this or take this over, might be worth catching that situation rather than infinite looping. Also, the FilterGroups parameter cannot be specified multiple times which makes filtering tricky. |
This looks like exactly what we need - any idea when it can get merged? |
@mariusfylling this is dead project. Keycloak and Keycloak Gatekeeper can do the magic for You. |
Thank you, will look into this. |
Fyi: there is an active discussion about forking this project here: #628 |
This PR improves support for backing oauth2_proxy with Azure Active Directory, along with a few other changes. We've been using this internally for lightly-loaded services for a couple of weeks, and are ready to open contribute it back upstream. Thanks for the great base upon which to build!
BREAKING CHANGES:
google-groups
field was renamed topermit-groups
.:
character instead of the|
character in order to adopt conventional construction of theX-Forwarded-Groups
header (usuallyfoo|bar|baz
).provider
option is now mandatory.Added functionality:
X-Forwarded-Groups
header, filtering groups (in order to limit cookie size), and restricting access based on group string matches.