sso
sso copied to clipboard
buzzfeed
sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services
**Is your feature request related to a problem? Please describe.** I'd like to use the same proxy to forward TCP requests, e.g. forwarding a request to a DB without going...
## Problem current sso images don't support arm64 architecture. that means we can't run them on AWS Graviton's or Apple M1's ## Solution build a multi-arch with `linux/amd64,linux/arm64` platform support...
can we publish multi-arch images so we can use ARM on aws? ``` docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 ```
The TestSignatureRoundTripDecoding in configuration_test.go ,the test case failed,the error is ``` === RUN TestSignatureRoundTripDecoding request_signer_test.go:180: exp: "424ed3e021af966edfd244d35dd1bfb9d05a42e2ae10095a8d3c5c23dc3fa5cb" got: "424f5a1abb9c82c354773f665592d5b7bbde933611e46ef5039db87b2d4c5e1c" --- FAIL: TestSignatureRoundTripDecoding (0.00s) ``` But I can't find out where...
**Describe the bug** This proxy supports a variety of mechanisms to authorize access to a host: https://github.com/buzzfeed/sso/blob/290f27ea84bcf1c83a06a5908ee8afd1d15cf7ab/internal/proxy/proxy.go#L48-L59 When responding to the Oauth callback (that is, when a user first authenticates...
## Problem When certain TTL's expire we revalidate or refresh the session (e.g. https://github.com/buzzfeed/sso/blob/master/internal/proxy/oauthproxy.go#L759-L764), which then ends up **directly** calling the `ValidateGroup` provider method (https://github.com/buzzfeed/sso/blob/master/internal/proxy/providers/sso.go#L381). Because here we're not using...
## Problem We are still calling `ValidateGroup()` directly within `sso_proxy`, but using the options/validator package elsewhere in the same logic path (originally partially due to circular imports). This makes it...
## Problem The current setup of html sign in and sign out pages causes some extra friction with implementing https://github.com/buzzfeed/sso/pull/252 - this change gives us some extra flexibility here. Also,...
## Problem As a follow up to https://github.com/buzzfeed/sso/pull/247, this removes some redundant logic from the sso authenticator, particularly surrounding the `AUTHORIZE_EMAIL_DOMAINS` and `AUTHORIZE_EMAIL_ADDRESSES` configuration variables. ## Solution `AUTHORIZE_EMAIL_ADDRESSES` was only...
## Problem We currently mandate the use of a global email domain to authenticate both on the proxy side as well as the authenticator side. This is limiting for organizations...
