-
-
Notifications
You must be signed in to change notification settings - Fork 413
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow custom key to be used for whitelist and X-Forwarded-User instead of the hardcoded email #159
base: master
Are you sure you want to change the base?
Conversation
Hi, thanks for the PR - I like this and I think it makes sense, I don't love that we're so tied to email addresses right now, so this is a nice step forward. I like the implementation and there isn't anything I want to change other than a few variable names and docs:
And yes, please could you drop the github action out - we're looking and using an action to build the cross platform image, but I'm happy with docker hub's build at the moment Thanks again for your work on this, it will be a great addition :) |
remove UserID type rename comma delimited to comma separated
Hey, no problem! I needed it myself :) Would you be able to help out with:
Would be cool to add example JSONs from the |
If I can somehow get my hands on a build of this version, I could verify it against nextcloud, if anyone is interested. (related to #191, where there's an example json including relevant fields for nextcloud). Also it would be amazing if other properties could be read (and configured) as well. Things I use with other OAuth clients (with nextcloud being the OAuth provider) are id, email, groups and display-name. I am not sure if this pr should be extended or if this is a whole other matter. |
Hey this is my docker-compose with the docker image of this build - maxisme/traefik-forward-auth:
so the |
README.md
Outdated
--lifetime= Lifetime in seconds (default: 43200) [$LIFETIME] | ||
--logout-redirect= URL to redirect to following logout [$LOGOUT_REDIRECT] | ||
--url-path= Callback URL Path (default: /_oauth) [$URL_PATH] | ||
--secret= Secret used for signing (required) [$SECRET] | ||
--whitelist= Only allow given email addresses, can be set multiple times [$WHITELIST] | ||
--whitelist= Only allow given email addresses, comma separated, can be set multiple times [$WHITELIST] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this should now also be
-Only allow given email addresses
+Only allow given user id
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, good catch!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
Dockerfile
Outdated
@@ -1,4 +1,4 @@ | |||
FROM golang:1.13-alpine as builder | |||
FROM golang:1.14-alpine as builder |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
strictly speaking, these version updates would normally not be part of a pull request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do you mean? Only @thomseddon should make these changes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's completely up to the maintainer, but in many projects I contributed to, a PR was really just about one specific feature or bugfix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
reverted
after reviewing, I think the only thing missing is a test case for plain user ids. There's an extensive test case for user emails, but nothing just for user names. It should also be considered if the current email test in -func TestAuthValidateEmail(t *testing.T) {
+func TestAuthValidateUser(t *testing.T) { But I would also not mind if the two were kept separate. |
what would be the way forward for getting this merged and released? |
…d-auth � Conflicts: � internal/auth.go � internal/auth_test.go � internal/server.go
@ccoenen @thomseddon would you be able to approve maxisme#1 to fix the conflicts. I haven't written Go in a few months and it all seems very alien haha. I will then merge into this PR and then should be good to go? |
I don't feel entirely qualified to review this, I'm sorry. I'm just some random user with basic knowledge of the Go language. |
logger.WithField("email", email).Warn("Invalid email") | ||
http.Error(w, "Not authorized", 401) | ||
logger.WithField("user", user).Warn("Invalid user") | ||
http.Error(w, fmt.Sprintf("User '%s' is not authorized", user), 401) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
http.Error(w, fmt.Sprintf("User '%s' is not authorized", user), 401) | |
http.Error(w, "Not authorized", 401) |
Thanks to everyone involved in this change. This PR seems valuable to many users. Thus it would be nice to merge (or decline) it soon, especially since it seems fully functional and reviewed. One issue that I spot, is that it doesn't seem possible to combine a non-email user identified with domain validation. |
Hey @maxisme I would love to this merged. Please take in account this comment with proposal: #159 (comment) Maybe @thomseddon could help us pushing this? |
@maxisme I appears to me that this line is missing from the readme.txt. https://github.com/maxisme/traefik-forward-auth/blob/a98e568f6fe8bef192180200b69fe76329e5647a/internal/config.go#L41 |
The callback of GitHubs
USER_URL
returns the json:With this PR you can now customize the value used for whitelisting and X-Forwarded-User. Before it was hardcoded to be the
email
tag (now default).This solves the problem of needing to expose your email in GitHub as well 🙂
Warning: have only tested fully with GH with
GenericOAuth
and no other providers (I leftOIDC
as is) but should work withGoogle
.Working Docker image at maxisme/traefik-forward-auth
I also: