Comments (4)
In the session_state in the EncryptedString
and DecodeSessionState
functions, we can include the accountInfo()
as encrypted instead of heaving them in clear.
If you agree I can do a PR with this fix.
from oauth2-proxy.
With the -cookie-httponly
and -cookie-secure
options, both of which are enabled by default, the browser will only send the cookie over https to the server running oauth2_proxy. For what it's worth.
from oauth2-proxy.
With the
-cookie-httponly
and-cookie-secure
options, both of which are enabled by default, the browser will only send the cookie over https to the server running oauth2_proxy. For what it's worth.
@costelmoraru What is the problem with this approach? In this case the cookies are only available by the browser to be sent over HTTPS (so no man in the middle reading the cookie) and can't be read by client-side scripts (so no malicious scripts finding anything out), the only real way to see the content would be on the user's machine using something like developer tools? But I would expect the user would know their email anyway?
I appreciate enterprises can be quite strict with their security requirements but I am struggling to see the security flaw here
Your proposed solution does however seem sensible
from oauth2-proxy.
Issue closed by the PR #120 .
from oauth2-proxy.
Related Issues (20)
- [Support]: Problem with OAuth2 and Keycloak-oidc on Kibana in a Minikube Cluster
- [Bug]: OIDC provider don't redeem access token after authorization request HOT 1
- [Support]: Syntax for specifying lists in env variables HOT 2
- [Support]: Logging of authenticated user together with complete URL in a single log line
- [Support]: CSS not loading when using oauth2-proxy as external authorizer with Istio
- Integration with WSO2 Identity Server provider
- [Support]: EKS nginx ingress with multiple servers getting No valid authentication in request
- [Feature]: expose more information back to reverse proxy via set_xauthrequest / set-xauthrequest - i.e. Orgs for Github
- 能支持下钉钉不 HOT 1
- [Bug]: --skip-auth-route fails to match URL after first slash
- [Support]: Integrate with OPA for course grained access control
- Support to configure oauth-proxy to allow all the get request without any authorization HOT 3
- [Feature]: Add debug "build container" ?
- [Feature]: can you please add "latest-7.x" and upcoming "latest-8.x" docker tag to your images
- [Support]: injectRequestHeaders are not visible in headers upstream
- [Feature]: Use cookie attribute 'Max-Age' instead of 'Expires' for cookie expiration
- [Feature]: Support Azure's new mechanism to solve group overage claim problem
- [bug]: oidc auth redirect drops the `connection` parameter as defined in `login_url` unexpectedly
- [Vulnerability]: Vulnerability remediations
- [Feature]: Support X-Envoy-External-Address for real_client_ip_header
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.