Comments (13)
There are no outstanding issues for security here. We are just using this issue to track the fact that we haven't documented how to report security issues.
Please use the latest releases to ensure you have up to date security patches
from oauth2-proxy.
This needs fixing and I am currently trying to work out how I want to handle this, I need to speak to our internal support team who currently handle most security issues for Pusher owned projects.
For now, could you please email me directly joel[at]pusher.com and I will look into the issue you have found.
from oauth2-proxy.
email sent :)
from oauth2-proxy.
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
We still need to work out how security reports should be handled. As a note, if anyone finds this, please do not email my pusher address, I no longer work for Pusher and I will not receive it
from oauth2-proxy.
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
@JoelSpeed @jtnord The security issue discussed here is not very clear. Is this still relevant? If yes, can you share more details for the same.
from oauth2-proxy.
this is still valid. there are no details on how to report security issues for this repo.
from oauth2-proxy.
Agreed. I or one of the other maintainers needs to find some time to create a SECURITY.md
doc that explains what users should do if they do find any vulnerabilities and what our responsibilities are in these cases
from oauth2-proxy.
@jtnord @JoelSpeed Can you share how severe is the issue ? and What is the plan to fix this or Is there a patched version available ?
from oauth2-proxy.
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
from oauth2-proxy.
Related Issues (20)
- [Support]: Return 401 if Bearer token is not valid HOT 3
- [Bug]: oidc-allow-unverified-email ignored when using extra-jwt-issuers HOT 1
- [Bug]: Keycloak scopes not being added to refresh token call HOT 4
- Retrieve Client Secret from Secret Manager (Vault/Akeyless)
- [OAuth2-Proxy] Custom error page giving out 403 Forbidden Nginx error HOT 1
- [Support]: '{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience.","innerError":{"date":"2024-02-20T13:53:31","request-id":"8d9fc07c-848f-4ef7-8444-69e722c3ecc3","client-request-id":"8d9fc07c-848f-4ef7-8444-69e722c3ecc3"}}}' HOT 1
- [Oauth2-proxy]: <failed to create shim task>
- [Support]: injectRequestHeaders with nested claims
- [Feature]: Support custom header name for Authorization header
- [Support]: How to get On-premises SAM account name (AD sAMAccountName) into X-User header?
- [Bug]: No longer working on Kubernetes after upgrading from 7.5.1 to 7.6.0 HOT 3
- [Support]: oauth2-proxy access token validation HOT 1
- [Feature]: Google Groups via Cloud Identity API
- How to skip the OAUTH2-Proxy spalsh screen and directly redirect to auth portal ? HOT 2
- [Support]: <oidc_isssuer_url not discovering endpoints for keycloak>
- OIDC groups claim ignored HOT 1
- [Bug]: --client-secret-file with keycloak-oidc provider results in token exchange fail HOT 1
- [Support]: Using an incoming `redirect_uri` set by client in `oauth2/start?redirect_url=https%3A%2F%2Foauth.pstmn.io%2Fv1%2Fcallback&...` HOT 1
- [Support]: configuration of redirect_uri and authorization header HOT 1
- [Feature]: Support setting unix socket listener file mode HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.