Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SameSite option #264

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add SameSite option #264

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 34 additions & 22 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,28 +16,35 @@ A minimal forward authentication service that provides OAuth/SSO login and authe

# Contents

- [Releases](#releases)
- [Usage](#usage)
- [Simple](#simple)
- [Advanced](#advanced)
- [Provider Setup](#provider-setup)
- [Configuration](#configuration)
- [Overview](#overview)
- [Option Details](#option-details)
- [Concepts](#concepts)
- [Forwarded Headers](#forwarded-headers)
- [User Restriction](#user-restriction)
- [Applying Authentication](#applying-authentication)
- [Global Authentication](#global-authentication)
- [Selective Ingress Authentication in Kubernetes](#selective-ingress-authentication-in-kubernetes)
- [Selective Container Authentication in Swarm](#selective-container-authentication-in-swarm)
- [Rules Based Authentication](#rules-based-authentication)
- [Operation Modes](#operation-modes)
- [Overlay Mode](#overlay-mode)
- [Auth Host Mode](#auth-host-mode)
- [Logging Out](#logging-out)
- [Copyright](#copyright)
- [License](#license)
- [Traefik Forward Auth !Build Status [![Go Report Card](https://goreportcard.com/badge/github.com/thomseddon/traefik-forward-auth)](https://goreportcard.com/report/github.com/thomseddon/traefik-forward-auth) ![Docker Pulls](https://img.shields.io/docker/pulls/thomseddon/traefik-forward-auth.svg) [![GitHub release](https://img.shields.io/github/release/thomseddon/traefik-forward-auth.svg)](https://GitHub.com/thomseddon/traefik-forward-auth/releases/)](#traefik-forward-auth----)
- [Why?](#why)
- [Contents](#contents)
- [Releases](#releases)
- [Upgrade Guide](#upgrade-guide)
- [Usage](#usage)
- [Simple:](#simple)
- [Advanced:](#advanced)
- [Provider Setup](#provider-setup)
- [Google](#google)
- [OpenID Connect](#openid-connect)
- [Generic OAuth2](#generic-oauth2)
- [Configuration](#configuration)
- [Overview](#overview)
- [Option Details](#option-details)
- [Concepts](#concepts)
- [User Restriction](#user-restriction)
- [Forwarded Headers](#forwarded-headers)
- [Applying Authentication](#applying-authentication)
- [Global Authentication](#global-authentication)
- [Selective Ingress Authentication in Kubernetes](#selective-ingress-authentication-in-kubernetes)
- [Selective Container Authentication in Swarm](#selective-container-authentication-in-swarm)
- [Rules Based Authentication](#rules-based-authentication)
- [Operation Modes](#operation-modes)
- [Overlay Mode](#overlay-mode)
- [Auth Host Mode](#auth-host-mode)
- [Logging Out](#logging-out)
- [Copyright](#copyright)
- [License](#license)

## Releases

Expand Down Expand Up @@ -154,6 +161,7 @@ Application Options:
--config= Path to config file [$CONFIG]
--cookie-domain= Domain to set auth cookie on, can be set multiple times [$COOKIE_DOMAIN]
--insecure-cookie Use insecure cookies [$INSECURE_COOKIE]
--same-site-cookie Set SameSite cookie property (0: Default (1), 1: Lax, 2: Strict, 3: None)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Env-Name available to control this sould be documented here, [$SAMESITE_COOKIE]

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same issue here with the numbers as well, I think also the (1) is missleading?

--cookie-name= Cookie Name (default: _forward_auth) [$COOKIE_NAME]
--csrf-cookie-name= CSRF Cookie Name (default: _forward_auth_csrf) [$CSRF_COOKIE_NAME]
--default-action=[auth|allow] Default action (default: auth) [$DEFAULT_ACTION]
Expand Down Expand Up @@ -243,6 +251,10 @@ All options can be supplied in any of the following ways, in the following prece

If you are not using HTTPS between the client and traefik, you will need to pass the `insecure-cookie` option which will mean the `Secure` attribute on the cookie will not be set.

- `same-site-cookie`

A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` (same-site-cookie=4) and `Secure` (insecure-cookie=false). You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032

- `cookie-name`

Set the name of the cookie set following successful authentication.
Expand Down
1 change: 1 addition & 0 deletions internal/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,7 @@ func MakeCookie(r *http.Request, email string) *http.Cookie {
Path: "/",
Domain: cookieDomain(r),
HttpOnly: true,
SameSite: http.SameSite(config.SameSiteCookie),
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't we have this line in the 3 other similar blocks in this package? So both for the "Clear" and for the CSRF-Cookie further down? I needed to do this in order to get everything work on my end

Secure: !config.InsecureCookie,
Expires: expires,
}
Expand Down
7 changes: 7 additions & 0 deletions internal/auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,13 @@ func TestAuthMakeCookie(t *testing.T) {
c = MakeCookie(r, "[email protected]")
assert.Equal("testname", c.Name)
assert.False(c.Secure)

config.CookieName = "testname"
config.InsecureCookie = true
config.SameSiteCookie = 3
c = MakeCookie(r, "[email protected]")
assert.Equal("testname", c.Name)
assert.Equal(http.SameSiteStrictMode, c.SameSite)
}

func TestAuthMakeCSRFCookie(t *testing.T) {
Expand Down
1 change: 1 addition & 0 deletions internal/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ type Config struct {
Config func(s string) error `long:"config" env:"CONFIG" description:"Path to config file" json:"-"`
CookieDomains []CookieDomain `long:"cookie-domain" env:"COOKIE_DOMAIN" env-delim:"," description:"Domain to set auth cookie on, can be set multiple times"`
InsecureCookie bool `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
SameSiteCookie int `long:"same-site-cookie" env:"SAMESITE_COOKIE" default:"0" description:"Set cookies SameSite value (0: Default (1), 1: Lax, 2: Strict, 3: None)"`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that those numbers are wrong. For me I needed to set 4 for None for example

CookieName string `long:"cookie-name" env:"COOKIE_NAME" default:"_forward_auth" description:"Cookie Name"`
CSRFCookieName string `long:"csrf-cookie-name" env:"CSRF_COOKIE_NAME" default:"_forward_auth_csrf" description:"CSRF Cookie Name"`
DefaultAction string `long:"default-action" env:"DEFAULT_ACTION" default:"auth" choice:"auth" choice:"allow" description:"Default action"`
Expand Down