Merge pull request #1412 from oauth2-proxy/release-7.2.0

Release 7.2.0

CHANGELOG.md

@@ -4,11 +4,27 @@
 
 ## Important Notes
 
+## Breaking Changes
+
+## Changes since v7.2.0
+
+# V7.2.0
+
+## Release Highlights
+
+- LinkedIn provider updated to support the new v2 API
+- Introduce `--force-json-errors` to allow OAuth2 Proxy to protect JSON APIs and disable authentication redirection
+- Add URL rewrite capabilities to the upstream proxy
+- New ADFS provider integration
+- New Keycloak OIDC provider integration
+- Introduced Multiarch Docker images on the standard image tags
+
+## Important Notes
+
 - [#1086](https://github.com/oauth2-proxy/oauth2-proxy/pull/1086) The extra validation to protect invalid session
   deserialization from v6.0.0 (only) has been removed to improve performance. If you are on v6.0.0, either upgrade
   to a version before this first and allow legacy sessions to expire gracefully or change your `cookie-secret`
   value and force all sessions to reauthenticate.
-
 - [#1210](https://github.com/oauth2-proxy/oauth2-proxy/pull/1210) A new `keycloak-oidc` provider has been added with support for role based authentication. The existing keycloak auth provider will eventually be deprecated and removed. Please switch to the new provider `keycloak-oidc`.
 
 ## Breaking Changes

README.md

@@ -23,7 +23,7 @@ Going forward, all images shall be available at `quay.io/oauth2-proxy/oauth2-pro
 
 1.  Choose how to deploy:
 
-    a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.1.3`)
+    a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.2.0`)
 
     b. Build with `$ go get github.com/oauth2-proxy/oauth2-proxy/v7` which will put the binary in `$GOROOT/bin`
 

contrib/local-environment/docker-compose-keycloak.yaml

@@ -15,7 +15,7 @@ services:
 
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.3
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
     command: --config /oauth2-proxy.cfg
     hostname: oauth2-proxy
     volumes:

contrib/local-environment/docker-compose.yaml

@@ -13,7 +13,7 @@ version: '3.0'
 services:
   oauth2-proxy:
     container_name: oauth2-proxy
-    image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.3
+    image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
     command: --config /oauth2-proxy.cfg
     ports:
       - 4180:4180/tcp

docs/docs/installation.md

@@ -6,7 +6,7 @@ slug: /
 
 1.  Choose how to deploy:
 
-    a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.1.3`)
+    a. Download [Prebuilt Binary](https://github.com/oauth2-proxy/oauth2-proxy/releases) (current release is `v7.2.0`)
 
     b. Build with `$ go get github.com/oauth2-proxy/oauth2-proxy/v7` which will put the binary in `$GOPATH/bin`
 

docs/versioned_docs/version-7.2.x/behaviour.md

@@ -0,0 +1,11 @@
+---
+id: behaviour
+title: Behaviour
+---
+
+1. Any request passing through the proxy (and not matched by `--skip-auth-regex`) is checked for the proxy's session cookie (`--cookie-name`) (or, if allowed, a JWT token - see `--skip-jwt-bearer-tokens`).
+2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with `Accept: application/json`, in which case 401 Unauthorized is returned)
+3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
+4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)
+
+Notice that the proxy also provides a number of useful [endpoints](features/endpoints.md).

docs/versioned_docs/version-7.2.x/community/security.md

@@ -0,0 +1,49 @@
+---
+id: security
+title: Security
+---
+
+:::note
+OAuth2 Proxy is a community project.
+Maintainers do not work on this project full time, and as such,
+while we endeavour to respond to disclosures as quickly as possible,
+this may take longer than in projects with corporate sponsorship.
+:::
+
+## Security Disclosures
+
+:::important
+If you believe you have found a vulnerability within OAuth2 Proxy or any of its
+dependencies, please do NOT open an issue or PR on GitHub, please do NOT post
+any details publicly.
+:::
+
+Security disclosures MUST be done in private.
+If you have found an issue that you would like to bring to the attention of the
+maintenance team for OAuth2 Proxy, please compose an email and send it to the
+list of maintainers in our [MAINTAINERS](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/MAINTAINERS) file.
+
+Please include as much detail as possible.
+Ideally, your disclosure should include:
+- A reproducible case that can be used to demonstrate the exploit
+- How you discovered this vulnerability
+- A potential fix for the issue (if you have thought of one)
+- Versions affected (if not present in master)
+- Your GitHub ID
+
+### How will we respond to disclosures?
+
+We use [GitHub Security Advisories](https://docs.github.com/en/github/managing-security-vulnerabilities/about-github-security-advisories)
+to privately discuss fixes for disclosed vulnerabilities.
+If you include a GitHub ID with your disclosure we will add you as a collaborator
+for the advisory so that you can join the discussion and validate any fixes
+we may propose.
+
+For minor issues and previously disclosed vulnerabilities (typically for
+dependencies), we may use regular PRs for fixes and forego the security advisory.
+
+Once a fix has been agreed upon, we will merge the fix and create a new release.
+If we have multiple security issues in flight simultaneously, we may delay
+merging fixes until all patches are ready.
+We may also backport the fix to previous releases,
+but this will be at the discretion of the maintainers.