This repository has been archived by the owner on Dec 7, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 345
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- shifting over to the echo rather than gin web framework - adding the extra dependencies - dropped the cors middleware and using the default middles from echo router - completely removing gin tonic - adding the Renderer implementation - loading the templates for the custom pages - hooking in the drop for the proxy middleware - updating the readme to reflect the changes - updating the CHANGELOG to reflect the changes - updating the authors file - adding the extra test for api errors and drop refresh cookie - updated the golang version to v1.8 - shifting most of the checks into a common testing method makeFakeRequests() - fixed the cli parsing for slices, was incorrectly setting the reflected value - adding a quick check for the forwarding proxy - changed the option log-requests to --enable-logging - changed the option --json-format to --enable-json-logging - ensure nothing in /oauth is passed to the proxy forwarder. Echo doesnt not run middleware if no route is found, so was have to hack this slightly to get it to work - removed unrequired elements from the testing code - fixed the newTestToken; need to copy the map - updated the authors file - added test coverage for token refreshing - cleaned up some of the code around tests - fixed up the checks for the callback endpoint - update the kubernetes example files to deployments - fixed up the unit tests for the custom claims
- Loading branch information
Showing
196 changed files
with
13,504 additions
and
11,304 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,8 @@ tests/db.bolt | |
test.sock | ||
tests/redis.conf | ||
tests/*.csr | ||
*.orig | ||
debug | ||
|
||
*.iml | ||
config.yml | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,7 +9,6 @@ services: | |
- docker | ||
language: go | ||
go: | ||
- 1.7 | ||
- 1.8 | ||
install: | ||
- go get github.com/tools/godep | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,9 @@ | ||
Allan Degnan <[email protected]> | ||
Ben Marvell <[email protected]> | ||
Chris Nesbitt-Smith <[email protected]> | ||
Jiten Bhagat <[email protected]> | ||
johanneslanger <[email protected]> | ||
Naveen <[email protected]> | ||
Rémi Vion <[email protected]> | ||
Rohith <[email protected]> | ||
Rohith Jayawardene <[email protected]> | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,7 +2,7 @@ NAME=keycloak-proxy | |
AUTHOR=gambol99 | ||
AUTHOR_EMAIL[email protected] | ||
REGISTRY=quay.io | ||
GOVERSION ?= 1.7.3 | ||
GOVERSION ?= 1.8.0 | ||
SUDO= | ||
ROOT_DIR=${PWD} | ||
HARDWARE=$(shell uname -m) | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,15 +24,15 @@ | |
Keycloak-proxy is a proxy service which at the risk of stating the obvious integrates with the [Keycloak](https://github.com/keycloak/keycloak) authentication service. Although technically the service has no dependency on Keycloak itself and would quite happily work with any OpenID provider. The service supports both access tokens in browser cookie or bearer tokens. | ||
|
||
```shell | ||
[jest@starfury keycloak-proxy]$ bin/keycloak-proxy help | ||
[jest@starfury keycloak-proxy]$ bin/keycloak-proxy --help | ||
NAME: | ||
keycloak-proxy - is a proxy using the keycloak service for auth and authorization | ||
|
||
USAGE: | ||
keycloak-proxy [options] | ||
|
||
VERSION: | ||
v2.0.2 (git+sha: 260d2c8-dirty) | ||
v3.0.0 (git+sha: e9482f7-dirty) | ||
|
||
AUTHOR: | ||
Rohith <[email protected]> | ||
|
@@ -47,7 +47,7 @@ GLOBAL OPTIONS: | |
--discovery-url value discovery url to retrieve the openid configuration [$PROXY_DISCOVERY_URL] | ||
--client-id value client id used to authenticate to the oauth service [$PROXY_CLIENT_ID] | ||
--client-secret value client secret used to authenticate to the oauth service [$PROXY_CLIENT_SECRET] | ||
--redirection-url value redirection url for the oauth callback url [$PROXY_REDIRECTION_URL] | ||
--redirection-url value redirection url for the oauth callback url, defaults to host header is absent [$PROXY_REDIRECTION_URL] | ||
--revocation-url value url for the revocation endpoint to revoke refresh token [$PROXY_REVOCATION_URL] | ||
--skip-openid-provider-tls-verify skip the verification of any TLS communication with the openid provider (default: false) | ||
--scopes value list of scopes requested when authenticating the user | ||
|
@@ -68,6 +68,7 @@ GLOBAL OPTIONS: | |
--filter-frame-deny enable to the frame deny header (default: false) | ||
--content-security-policy value specify the content security policy | ||
--localhost-metrics enforces the metrics page can only been requested from 127.0.0.1 (default: false) | ||
--access-token-duration value fallback cookie duration for the access token when using refresh tokens (default: 720h0m0s) | ||
--cookie-domain value domain the access cookie is available to, defaults host header | ||
--cookie-access-name value name of the cookie use to hold the access token (default: "kc-access") | ||
--cookie-refresh-name value name of the cookie used to hold the encrypted refresh token (default: "kc-state") | ||
|
@@ -89,7 +90,7 @@ GLOBAL OPTIONS: | |
--cors-max-age value max age applied to cors headers (Access-Control-Max-Age) (default: 0s) | ||
--hostnames value list of hostnames the service will respond to | ||
--store-url value url for the storage subsystem, e.g redis://127.0.0.1:6379, file:///etc/tokens.file | ||
--encryption-key value encryption key used to encrpytion the session state | ||
--encryption-key value encryption key used to encryption the session state [$PROXY_ENCRYPTION_KEY] | ||
--log-requests enable http logging of the requests (default: false) | ||
--json-format switch on json logging rather than text (default: false) | ||
--no-redirects do not have back redirects when no authentication is present, 401 them (default: false) | ||
|
@@ -158,7 +159,7 @@ resources: | |
- openvpn:vpn-user | ||
- openvpn:prod-vpn | ||
- test | ||
- uri: /admin | ||
- uri: /admin/* | ||
methods: | ||
- GET | ||
roles: | ||
|
@@ -188,13 +189,13 @@ redirection-url: http://127.0.0.1:3000 | |
encryption_key: AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j | ||
upstream-url: http://127.0.0.1:80 | ||
resources: | ||
- uri: /admin | ||
- uri: /admin* | ||
methods: | ||
- GET | ||
roles: | ||
- client:test1 | ||
- client:test2 | ||
- uri: /backend | ||
- uri: /backend* | ||
roles: | ||
- client:test1 | ||
``` | ||
|
@@ -211,10 +212,20 @@ bin/keycloak-proxy \ | |
--enable-refresh-token=true \ | ||
--encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \ | ||
--upstream-url=http://127.0.0.1:80 \ | ||
--resources="uri=/admin|methods=GET|roles=test1,test2" \ | ||
--resources="uri=/backend|roles=test1" | ||
--resources="uri=/admin*|methods=GET|roles=test1,test2" \ | ||
--resources="uri=/backend*|roles=test1" | ||
``` | ||
#### **HTTP Routing** | ||
By default all requests will be proxyed on to the upstream, if you wish to ensure all requests are authentication you can use | ||
```shell | ||
--resource=uri=/* | ||
``` | ||
Note the HTTP routing rules following the guidelines from [echo](https://echo.labstack.com/guide/routing). Its also worth nothing the ordering of the resource do not matter, the router will handle that for you. | ||
#### **Google OAuth** | ||
Although the role extensions do require a Keycloak IDP or at the very least a IDP that produces a token which contains roles, there's nothing stopping you from using it against any OpenID providers, such as Google. Go to the Google Developers Console and create a new application *(via "Enable and Manage APIs -> Credentials)*. Once you've created the application, take the client id, secret and make sure you've added the callback url to the application scope *(using the default this would be http://127.0.0.1:3000/oauth/callback)* | ||
|
@@ -223,7 +234,7 @@ bin/keycloak-proxy \ | |
--discovery-url=https://accounts.google.com/.well-known/openid-configuration \ | ||
--client-id=<CLIENT_ID> \ | ||
--client-secret=<CLIENT_SECRET> \ | ||
--resources="uri=/" \ | ||
--resources="uri=/*" \ | ||
--verbose=true | ||
``` | ||
|
@@ -403,7 +414,7 @@ By default the proxy will immediately redirect you for authentication and hand b | |
#### **White-listed URL's** | ||
Depending on how the application url's are laid out, you might want protect the root / url but have exceptions on a list of paths, i.e. /health etc. Although you should probably fix this by fixing up the paths, you can add excepts to the protected resources. (Note: it's an array, so the order is important) | ||
Depending on how the application url's are laid out, you might want protect the root / url but have exceptions on a list of paths, i.e. /health etc. Although you should probably fix this by fixing up the paths, you can add excepts to the protected resources. | ||
```YAML | ||
resources: | ||
|
@@ -445,7 +456,7 @@ A /oauth/logout?redirect=url is provided as a helper to logout the users. Aside | |
#### **Cross Origin Resource Sharing (CORS)** | ||
You can add CORS header via the --cors-[method] command line or configuration options. By default this will inject CORS header into all response from the /oauth/* and any authentication required redirects, though you can enable these globally for all responses via the --enable-cors-global option. | ||
You can add CORS header via the --cors-[method] command line or configuration options. | ||
* Access-Control-Allow-Origin | ||
* Access-Control-Allow-Methods | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.