Comments (4)
In the session_state in the EncryptedString
and DecodeSessionState
functions, we can include the accountInfo()
as encrypted instead of heaving them in clear.
If you agree I can do a PR with this fix.
from oauth2-proxy.
With the -cookie-httponly
and -cookie-secure
options, both of which are enabled by default, the browser will only send the cookie over https to the server running oauth2_proxy. For what it's worth.
from oauth2-proxy.
With the
-cookie-httponly
and-cookie-secure
options, both of which are enabled by default, the browser will only send the cookie over https to the server running oauth2_proxy. For what it's worth.
@costelmoraru What is the problem with this approach? In this case the cookies are only available by the browser to be sent over HTTPS (so no man in the middle reading the cookie) and can't be read by client-side scripts (so no malicious scripts finding anything out), the only real way to see the content would be on the user's machine using something like developer tools? But I would expect the user would know their email anyway?
I appreciate enterprises can be quite strict with their security requirements but I am struggling to see the security flaw here
Your proposed solution does however seem sensible
from oauth2-proxy.
Issue closed by the PR #120 .
from oauth2-proxy.
Related Issues (20)
- [Feature]: JWT validation only mode HOT 8
- [Bug]: An invalid redirect to a non-whitelisted domain creates a valid session cookie after redirecting to "/"
- Pass bearer token to the backend with nginx
- [Support]: Multi-Domain Forward-Auth with Traefik/k3s
- [Feature]: [Azure] Support certificate-based flow for requesting access token HOT 1
- [Feature]: Support for dry-run
- [Support]: failed to verify id token signature
- [Bug]: Setting `proxy-prefix` in helm seems to break login
- [Bug]: Azure provider: problem with ProfileURL/ userInfoURL (duplicate of closed issue #2162 )
- [Support]: <Keycloak-OIDC failed> HOT 1
- [Bug]: GitHub private repo check throwing 500 instead of 403 when user does not have access
- [Bug]: Keycloak OIDC Provider Multiple Calls to Fetch Keys to Verify JWT in Auth Header
- [Support]: Add scope field inside bearer token
- [Support]: How to configure oauth2 with kubernetes HOT 1
- Trying to implement simple Oauth2-proxy/nginx configuration HOT 3
- [Bug]: wait-for-redis fails to detect redis with default image HOT 3
- [Support]: Connection refused to Keycloak instance running in the separate container
- [Bug]: Alpha-configuration environment variables are not being replaced HOT 1
- [Bug]: local-environment example for keycloak does not run HOT 1
- [--cookie-secret-file option]: new option to ease cookie-secret rotation HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.