A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.
--backend-logout-url
with {id_token}
placeholder (@babs)X-Forwarded-Groups
header (@tuunit)N/A
The following PR introduces a change to how auth routes are evaluated using the flags skip-auth-route
/skip-auth-regex
. The new behaviour uses the regex you specify to evaluate the full path including query parameters. For more details please read the detailed description #2271
htpasswd.GetUsers
racecondition safe (@babs)https://login.microsoftonline.com/{tenant-id}/v2.0
) as --oidc_issuer_url
, in conjunction with --resource
flag, be sure to append /.default
at the end of the resource name. See https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#the-default-scope for more details.N/A
code_challenge_method
in your configuration instead of
force_code_challenge_method
.--code-challenge-method
flag can be used to enable it with the method of your choice.65532
.
Which also is known as nonroot
user in distroless images.N/A
allowed_emails
query parameter to the auth_request
. (@zv0n)/oauth2/start
to the identity provider's login URL. Configuration settings control which parameters are passed by default and precisely which values can be overridden per-request (@ianroberts)Microsoft Azure AD
(@omBratteng)--oidc-extra-audience
) and ability to specify extra audiences (--oidc-extra-audience
) allowed passing audience verification. This enables support for AWS Cognito and other issuers that have custom audience claims. Also, this adds the ability to allow multiple audiences. (@kschu91)allowed_email_domains
and the allowed_groups
on the auth_request
+ support standard wildcard char for validation with sub-domain and email-domain. (@w3st3ry @armandpicard)This release contains a number of bug and security fixes, but has no feature additions.
N/A
N/A
upn
claim consistently in ADFSProvider (@NickMeves)--force-json-errors
to allow OAuth2 Proxy to protect JSON APIs and disable authentication redirectioncookie-secret
value and force all sessions to reauthenticate.keycloak-oidc
provider has been added with support for role based authentication. The existing keycloak auth provider will eventually be deprecated and removed. Please switch to the new provider keycloak-oidc
.X-Forwarded-Groups
header
to the upstream server will no longer be prefixed with group:
--force-json-errors
flag (@bancek)cfg
name in show-debug-on-error flag (@iTaybb)</form>
tag on the sing_in page when not using a custom template (@jord1e)panic
when connecting to Redis with TLS (@mstrzele)--insecure-oidc-skip-nonce
is currently true
by default in case
any existing OIDC Identity Providers don't support it. The default will switch to false
in a future version.N/A
N/A