Merge branch 'master' into pr/krumelmonster/552

Author: bnfinet

.github/workflows/coverage.yml

@@ -18,7 +18,7 @@ jobs:
       fail-fast: false
       matrix:
         # go: ['1.14', '1.15']
-        go: ['1.18']
+        go: ['1.23']
 
     steps:
       - uses: actions/setup-go@v2

.github/workflows/docker-release-quayio-alpine.yml

@@ -17,14 +17,20 @@ jobs:
     steps:
       - name: Check out the repo
         uses: actions/checkout@v2
-      
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log in to Docker repository
         uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
         with:
           registry: ${{ env.DOCKER_REPO }}
           username: ${{ secrets.QUAYIO_ROBOT_USERNAME }}
           password: ${{ secrets.QUAYIO_ROBOT_PASSWORD }}
-      
+
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@a67f45cb0f8e65cf693a0bc5bfa1c5057c623030
@@ -36,12 +42,15 @@ jobs:
             type=ref,event=branch
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-     
+
       - name: Build and push Docker image using Dockerfile.alpine
         uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
         with:
           file: Dockerfile.alpine
           context: .
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: |
+            linux/amd64
+            linux/arm64

.github/workflows/docker-release-quayio.yml

@@ -17,14 +17,20 @@ jobs:
     steps:
       - name: Check out the repo
         uses: actions/checkout@v2
-      
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Log in to Docker repository
         uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
         with:
           registry: ${{ env.DOCKER_REPO }}
           username: ${{ secrets.QUAYIO_ROBOT_USERNAME }}
           password: ${{ secrets.QUAYIO_ROBOT_PASSWORD }}
-      
+
       - name: Extract metadata (tags, labels) for Docker
         id: meta
         uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
@@ -34,11 +40,14 @@ jobs:
             type=ref,event=branch
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
-     
+
       - name: Build and push Docker image using Dockerfile
         uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          platforms: |
+            linux/amd64
+            linux/arm64

.gitignore

@@ -4,6 +4,7 @@ main
 config/config.yml
 config/*config.yml
 config/config.yml_*
+!config/config.yml_example_pocket-id
 config/google_config.json
 config/secret
 !config/testing/*

.travis.yml

@@ -7,7 +7,7 @@ services:
   - docker
 
 go:
-  - "1.18"
+  - "1.23"
 
 env:
   - ISTRAVIS=true

CHANGELOG.md

@@ -4,6 +4,33 @@
 
 Coming soon! Please document any work in progress here as part of your PR. It will be moved to the next tag when released.
 
+## v0.45.0
+
+- Implement a Discord provider that uses `Username` as the username to match against in the `whiteList` config
+  - Or uses `Username#Discriminator` if the Discriminator is present
+  - Or uses ID if `discord_use_ids` is set
+
+## v0.44.0
+
+- migrate to github.com/golang-jwt/jwt/v4
+
+## v0.43.0
+
+- support multi-platform / multi-arch builds for published Docker images including `linux/amd64` and `linux/arm64`
+
+## v0.42.0
+
+- [fix auth to github](https://github.com/vouch/vouch-proxy/pull/601)
+- cleanup of minor issues flagged by gostaticcheck
+
+## v0.41.0
+
+- upgrade golang to `v1.23` from `v1.22`
+
+## v0.40.0
+
+- upgrade golang to `v1.22` from `v1.18`
+
 ## v0.39.0
 
 - [add support for listening on unix domain sockets](https://github.com/vouch/vouch-proxy/pull/488)

Dockerfile

@@ -1,6 +1,6 @@
 # quay.io/vouch/vouch-proxy
 # https://github.com/vouch/vouch-proxy
-FROM golang:1.18 AS builder
+FROM golang:1.23 AS builder
 
 ARG UID=999
 ARG GID=999

Dockerfile.alpine

@@ -1,6 +1,6 @@
 # quay.io/vouch/vouch-proxy
 # https://github.com/vouch/vouch-proxy
-FROM golang:1.18 AS builder
+FROM golang:1.23 AS builder
 
 ARG UID=999
 ARG GID=999

README.md

@@ -21,15 +21,16 @@ Vouch Proxy supports many OAuth and OIDC login providers and can enforce authent
 - [Alibaba / Aliyun iDaas](https://github.com/vouch/vouch-proxy/issues/344)
 - [AWS Cognito](https://github.com/vouch/vouch-proxy/issues/105)
 - [Twitch](https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example_twitch)
-- [Discord](https://github.com/eltariel/foundry-docker-nginx-vouch)
+- [Discord](https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example_discord)
 - [SecureAuth](https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example_secureauth)
 - [Gitea](https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example_gitea)
-- Keycloak
+- [Keycloak](config/config.yml_example_keycloak)
 - [OAuth2 Server Library for PHP](https://github.com/vouch/vouch-proxy/issues/99)
 - [HomeAssistant](https://developers.home-assistant.io/docs/en/auth_api.html)
 - [OpenStax](https://github.com/vouch/vouch-proxy/pull/141)
 - [Ory Hydra](https://github.com/vouch/vouch-proxy/issues/288)
 - [Nextcloud](https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/oauth2.html)
+- [Pocket ID](https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example_pocket-id)
 - most other OpenID Connect (OIDC) providers
 
 Please do let us know when you have deployed Vouch Proxy with your preffered IdP or library so we can update the list.
@@ -50,11 +51,11 @@ If Vouch is running on the same host as the Nginx reverse proxy the response tim
 - [Running from Docker](#running-from-docker)
 - [Kubernetes Nginx Ingress](#kubernetes-nginx-ingress)
 - [Compiling from source and running the binary](#compiling-from-source-and-running-the-binary)
-- [/login and /logout endpoint redirection](#-login-and--logout-endpoint-redirection)
+- [/login and /logout endpoint redirection](#login-and-logout-endpoint-redirection)
 - [Troubleshooting, Support and Feature Requests](#troubleshooting-support-and-feature-requests-read-this-before-submitting-an-issue-at-github)
   (Read this before submitting an issue at GitHub)
-  - [I'm getting an infinite redirect loop which returns me to my IdP (Google/Okta/GitHub/...)](#i-m-getting-an-infinite-redirect-loop-which-returns-me-to-my-idp--google-okta-github--)
-  - [Okay, I looked at the issues and have tried some things with my configs but it's still not working](#okay--i-looked-at-the-issues-and-have-tried-some-things-with-my-configs-but-it-s-still-not-working)
+  - [I'm getting an infinite redirect loop which returns me to my IdP (Google/Okta/GitHub/...)](#im-getting-an-infinite-redirect-loop-which-returns-me-to-my-idp-googleoktagithub)
+  - [Okay, I looked at the issues and have tried some things with my configs but it's still not working](#okay-i-looked-at-the-issues-and-have-tried-some-things-with-my-configs-but-its-still-not-working)
   - [Contributing to Vouch Proxy](#contributing)
 - [Advanced Authorization Using OpenResty](#advanced-authorization-using-openresty)
 - [The flow of login and authentication using Google Oauth](#the-flow-of-login-and-authentication-using-google-oauth)
@@ -145,7 +146,7 @@ server {
       # forward authorized requests to your service protectedapp.yourdomain.com
       proxy_pass http://127.0.0.1:8080;
       # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
-      #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user
+      #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
       #    auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
       #    auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;
 
@@ -251,7 +252,7 @@ The variable `VOUCH_CONFIG` can be used to set an alternate location for the con
 All Vouch Proxy configuration items are documented in [config/config.yml_example](https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example)
 
 - [Cacheing of the Vouch Proxy `/validate` response in Nginx](https://github.com/vouch/vouch-proxy/issues/76#issuecomment-464028743)
-- [Handleing `OPTIONS` requests when protecting an API with Vouch Proxy](https://github.com/vouch/vouch-proxy/issues/216)
+- [Handling `OPTIONS` requests when protecting an API with Vouch Proxy](https://github.com/vouch/vouch-proxy/issues/216)
 - [Validation by GitHub Team or GitHub Org](https://github.com/vouch/vouch-proxy/pull/205)
 - [Running VP on a Raspberry Pi using the ARM based Docker image](https://github.com/vouch/vouch-proxy/pull/247)
 - [Kubernetes architecture post ingress](https://github.com/vouch/vouch-proxy/pull/263#issuecomment-628297832)
@@ -332,6 +333,8 @@ an `alpine` based container built from `Dockerfile.alpine`
 - `quay.io/vouch/vouch-proxy:alpine-latest`
 - `quay.io/vouch/vouch-proxy:alpine-x.y.z`
 
+As of `v0.43.0` both of these images are [Multi-platform builds](https://docs.docker.com/build/building/multi-platform/) supporting `linux/amd64` and `linux/arm64`.
+
 Vouch Proxy `arm` images are available on [Docker Hub](https://hub.docker.com/r/voucher/vouch-proxy/)
 
 - `voucher/vouch-proxy:latest-arm`

config/config.yml_example_discord

@@ -0,0 +1,34 @@
+
+# Vouch Proxy configuration
+# bare minimum to get Vouch Proxy running with Discord as an OpenID Provider
+
+
+vouch:
+  domains:
+    - yourdomain.com
+
+  # whiteList is a list of usernames that will allow a login if allowAllUsers is false
+  whiteList:
+    # The default behavior matches the Discord user's username
+    - loganintech
+
+    # If the user still hasn't chosen a new username, the old username#discrimnator format will work
+    - LoganInTech#1203
+
+    # If discord_use_ids is set to true, you must use the user's ID
+    - 12345678901234567
+
+  cookie:
+    # allow the jwt/cookie to be set into http://yourdomain.com (defaults to true, requiring https://yourdomain.com)
+    secure: false
+    # vouch.cookie.domain must be set when enabling allowAllUsers
+    # domain: yourdomain.com
+
+# https://discord.com/developers/docs/topics/oauth2
+oauth:
+  provider: discord
+  client_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
+  client_secret: xxxxxxxxxxxxxxxxxxxxxxxx
+  callback_url: http://vouch.yourdomain.com:9090/auth
+  ## Uncomment this to match users based on their Discord ID
+  # discord_use_ids: true