Proposal for Official Fork
alexandre-leites opened this issue · comments
Hi,
As everyone here can see, the project is almost abandoned.
I believe someone or preferable a group of people fluent in Go lang should create an 'official' fork of the project so the community can contribute with PRs which won't be waiting forever at "Pull Requests" tab.
I'm not fluent in Go but I can help with docker images or something like that if needed.
====== Edit =====
According to @russtacular comment on 29 Aug 2018 this project is oficially discontinued. Therefore, while the community is discussing where it will be 'oficially' forked and supported, there are several projects already taking place as a migration path:
https://github.com/pusher/oauth2_proxy (see #628 (comment))
https://github.com/buzzfeed/sso
https://github.com/openshift/oauth-proxy
https://github.com/ploxiln/oauth2_proxy (see #628 (comment) and #628 (comment))
Also, there is a discussion on gofrs gofrs/help-requests#32 (comment)
Agree. I think many of us would love to see some of these PRs get merged. Like it or not this is one of the simpler to use solutions for integration of OAuth2 or OIDC providers on top of Kubernetes.
It is definitely a pity the project is kind of dead. Looks like a lot of people use it though. There is an interesting fork
https://github.com/openshift/oauth-proxy
but specialized on OpenShift.
If I were proficient in Go I would love to help.
Would be nice to know the maintainers opinion.
Let's find a well-known OSS org on github that could manage having such fork. Security repos shouldn't be on any one personal account. It is important though to have @bitly's support and perhaps have their team add the official fork's releases as a tag on dockerhub.
I agree with you @ermik. Finding an OSS organization which can take care of the project and assign people (not just one) which can approve PRs and manage the repository.
This is used quite often with K8S. /cc @cncf if it has any suggestion of what group could take care of this.
/cc @jbeda Do you know someone that could be interested to maintain this project active in a fork?
Have @bitly stopped using this, hence the staleness of the project? If so it would be interesting to hear what they use instead.
Everyone at bitly might be just drones and we are a part of their simulation.
I have been in touch with people at bitly about the current state of the project. I will post another update when I have more information.
If you're going for a hard fork, consider https://github.com/gofrs .
I too would like to use this! I recently started using the free Access service from CloudFlare. I really like the concept. So being able to do the same in a stable way with NGINX would be amazing...
I have exchanged emails with the CEO of @bitly. I thought we were going to get this resolved. Unfortunately once it was passed over to an engineer it died.
I think it is pretty clear that this project is no longer a priority for bitly. For whatever reason they are unwilling to pass it over to new stewards.
I propose the following actions:
- identify a new home for the project
- mirror the repo in new org
- update the docs
- review all outstanding issues/PR and duplicate them in the new project. Add comments on the bitly version with a link to the new issue
- map out what a ???/oauth_proxy 1.0 (or 3.0) release would look like
That's sad to hear.
Have you guys heard of https://github.com/buzzfeed/sso ? It seems to be built on top of OAuth2 proxy with more features. I'll try it out soon...
There are many large companies with significant OSS presence that have forked this project and have pending PRs awaiting merge. Can one of these companies please come forward to adopt this project?
There are many features that we require, which are stuck in unreviewed PRs. We are manually merging into our private forks, which is not sustainable!
I'm not fluent in Go so I've been working on a node.js port. Would others here be interested in this?
I will be interested to contributed to the maintenance of this project, since we built recently the https://github.com/jenkins-x/sso-operator on top of it and have a certain understanding of the code base.
I like what @skwashd is proposing. It seems that sso-proxy org is still available. Do you have any other suggestions? If you agree, we can move on with this org.
Could we try reaching out to BuzzFeed for comment (pun intended)? Their _ @ccojocar pointed out below that it's not a derivative.sso product seems well-established and a merge path would be a better choice for this repo — and introducing more flexibility (more auth providers, better config, k8s-ready, etc.) to their project could be a symbiotic thing.
If there are not takers by Oct 1st — let me add to @skwashd's list — we need to identify a group of maintainers that can commit (ok, this pun is just unavoidable) to working on newly forked org/repo for the near future while we try to build a community around it.
In my opinion, here is a minimum of people required for this repo to continue being of the most wonderful tools out there:
- security expert with substantial credentials
- cloud-native expert to keep things in perspective
- networking specialist to push this to the cutting edge
- engineering manager to keep things going
feel free to adjust.
Please volunteer yourselves with a brief description of your specialty, and please start reaching out to people to see if we have the support we need.
cc/ @ohaiwalt — you pointed me to this repo and I'll never be more grateful; do you have any thoughts on the matter?
@ermik the buzfeed/sso does not seem to be depend on this proxy https://github.com/buzzfeed/sso/blob/master/Godeps. I am not sure, if it makes sense to couple the two projects.
This project has a well established user base in the Kubernetes community. It must continue to be maintained.
I would say, the simplest way to move forward, it is to create a new organisation with a group of maintainers, and then ask bitly to transfer the ownership of this repo to that organisation.
@skwashd Do you think, would this work onbitly side?
If we can't get any response from bitly engineers then it may not be possible to move the repo.
Please could someone from bitly provide an official statement to this issue? I am mentioning all current members of bitly organisation. Sorry for noise!
@apriendeau @hlhendy @jctbitly @jehiah @kpurdon @lrmay @markrechler @mrwoof @russtacular @sioanis @tpherndon
I tried a couple of times to reach the company via twitter. (first attempt and second attempt). The second one lead to a short email exchange with the CEO. It was passed onto @jehiah, who never responded.
Bitly don't owe us anything. They are free to throw their code over the wall and do nothing else. That's how open source works. That said, it is disappointing that they won't engage with the community that they built. Priorities change, life moves on, we accept that. It would have been nice if they either came out and said why the tumbleweed is blowing around the project or worked with interested members of the community to move it to a new home. Sadly there appears to be no interest in either option.
I would be happy to play a role in any fork, but I don't feel like I have the time nor the skills to provide the technical leadership. Without leadership we will remain an unruly mob moving pitch forks.
With all this in mind I created 2bitproxy/oauth2_proxy. I picked the name as it includes bit as a reference to the bitly heritage and a tongue in cheek reference the negative "two bit". (It takes under a minute to rename it with sed).
I believe the first 3 points from the plan I posted last week have been resolved. Who wants to help with the remaining 2?
Hi all ... I've reached out internally here at Bitly and will make sure we get a response here soon. Just wanted to drop a line here so you all know we are listening.
@skwashd It's great we have a home for the time being — thanks for stashing away a nice org name! I think you have it right: we can work on improving the project while this gets resolved. A certain breathing room needs to be maintained for @bitly and other community members, as well as possible maintainers, to chime in to this conversation.
@kpurdon Great news! I don't presume to speak for everyone, but I would say the key thing to resolve here is a managerial one. There is no need for a fork if and only if the team at @bitly is dedicated to working towards granting some community members merge permissions and working towards reinforcing the community support itself for this repository.
Hello all,
Sorry it's taken so long to respond—it's often difficult to acknowledge that you can no longer maintain something that you've built and nurtured for so many years.
While this project has served us well internally for a while, we haven't been able to find someone on our team to push it forward and shepherd community contributions that weren't part of our roadmap. We've also since moved on to other priorities and are even investigating switching to buzzfeed/sso since it's a newer fork of oauth2_proxy.
As a result, we've decided to make this read-only and archive this project at the end of September. We're happy to update the readme to point people to newer, maintained forks, so please update this issue (or start a new one) with possible successors in order to make this transition as easy as possible.
Thanks for the update @russtacular
bumb up
I'm calling for a goodbye party to be hosted at one of Flatiron bars. @russtacular
bump
The openshift fork https://github.com/openshift/oauth-proxy has already been mentioned.
I've started a humble and initially somewhat minimal fork myself, and I've made a release: https://github.com/ploxiln/oauth2_proxy/releases
So, @russtacular or @jehiah should push a small update to README.md soon, probably mentioning a couple forks (maybe @JoelSpeed is interested in maintaining an OpenID Connect focused one?)
Is this something that could be contributed to the CNCF? It seems like it would be well within scope for them, and would then limit the number of needlessly divergent forks?
Hi all, I've discussed this with the team @pusher today and we have decided that since we rely on this heavily and have a reasonable understanding of the code base, that we are going to clean up our fork and make it an "official" hard fork.
Personally we have a decent understanding of OIDC but have little experience of the other authentication providers, I'd like to try and find some people willing to help out with the other providers if anyone would like to volunteer?
In the mean time, I am going to update our fork's master to match the current master here and get the outstanding PRs that I own updated and merged, set up some CI and update the documentation on our fork as well as raising a PR to update the documentation here.
WRT the CNCF, I've reached out to @oicheryl for guidance on how and whether this might be suitable for adoption by the CNCF
Thanks for doing this @JoelSpeed
Thanks @JoelSpeed for stepping up.
Originally I thought that forking and maintaining this project would be possible. After a comprehensive review of the available options we decided to go with Cloudflare Access. We already run a bunch of stuff behind Cloudflare, so switching to Access made sense for us.
I hope to find other opportunities to use this proxy. If I do, I hope to contribute to @pusher's fork.
The process for joining the CNCF as a sandbox project is at https://github.com/cncf/toc/blob/master/process/sandbox.md. The main criteria is that two TOC members sponsor the project and it is presented at a TOC meeting (and subsequently approved).
However the majority of the TOC is up for re-election in January, so rather than gathering sponsors now I suggest waiting until after the new TOC members are elected. There is also a growing backlog of projects under review (https://github.com/cncf/toc/issues), so please be patient if it takes a while to schedule.
Having said all of that, I think forking oauth2_proxy and hosting the new project at the CNCF makes a lot of sense. Let me know if it's unclear or you have questions.
Personally we have a decent understanding of OIDC but have little experience of the other authentication providers, I'd like to try and find some people willing to help out with the other providers if anyone would like to volunteer?
We have created a small fork ourselves to include support for Azure AD B2C, which is OIDC with an added policy parameter that needs to be passed to the auth endpoint. For this, we also forked the go-oidc package from CoreOS, on which the OIDC provider is reliant, to pass the parameter upstream.
However, if we get an official fork, we'd be happy to make a proper AAD B2C provider (in addition to the "standard" Azure AD, which works differently), maybe by taking the OIDC provider and the go-oidc package as template, "converting" it to a full provider in oauth2_proxy.
Thoughts on that?
Thanks @oicheryl for your input. Having discussed internally we are planning to continue our plan to adopt the repo and have started the migration process (please add comments if you think anything can be improved: oauth2-proxy/oauth2-proxy#7) from here.
We would then like to start the process for proposing the project to the CNCF when the time is right, perhaps February? This will need some help from the folks @bitly however since part of the process is signing over any trademarks. Hopefully if it gets accepted we should be able to merge any changes made to the @pusher fork in the mean-time into the CNCF homed repository.
@marratj Totally happy for that to happen, once the migration process is complete, if you have time, feel free to start working on a PR. I know that Google also use extra parameters in their implementation of OIDC and have seen this implemented without forking go-oidc so perhaps we can look at that together to work out how not to fork it. Perhaps you can inject it like the HD param is done here? https://github.com/JoelSpeed/dex/blob/ccd954582b85162882656d0842e89af58f87d356/connector/google/google.go#L120
Given this is the only repo that convincingly handles this pretty important use-case (reverse oauth2 proxy, using multiple handlers, very configurable), I would prefer personally to see this find a home which is not a specific company, something like CNCF or as someone else suggested, gofrs. But Pusher do seem to be actively maintaining their fork - I opened an issue which was responded to within hours.
@skwashd has created a "community fork" and Pusher (@JoelSpeed) has forked and are maintaining. This is a bit of an awkward situation. @skwashd would you consider trying to merge your changes via PR into Pusher's fork? Or should Pusher rather try to help land this in a more community-centric place and commit and maintain from there?
@dt-rush See @JoelSpeed's comment from above, that pusher is willing to help contribute it to the cncf, and cncf said it might be a bit slow to catch, so the febuary timeframe seems reasonable to me.
Is it acceptable to everyone to use pushers fork for a few months until all the details can be worked out?
SGTM. Please ping on this issue as updates happen.
Gofrs would be another option and I can help get it moved over there.
I am happy to transfer the organisation to someone he will run with the fork. As mentioned above we have decided to use an alternative product for our use cases. While I am interested in helping out it will all be in my limited spare time. My changes were a change I made to support github teams properly (PR #613) and some "rebranding".
My email address is on my profile. It's probably easier to discuss things there. If you're planning to pull an npm event-stream stunt, don't waste your time emailing me.
I've created a Gofrs issue to adopt the project and I'll volunteer time to work and improve the project.
@xalexslx Could you update the original issue above with the list of forks to give people a migration path whilst community decides the fate of this?
https://github.com/buzzfeed/sso
https://github.com/openshift/oauth-proxy
https://github.com/pusher/oauth2_proxy
Possibly going to be on gofrs gofrs/help-requests#32
Original issue updated with the links and official comment of russtacular regarding this project.
Just by the way, if anyone needs a recent release while waiting for the pusher fork to be ready, I've incorporated the fsnotify/hmacauth import fixes on top of latest master, merged 8 other PRs from this repo (incl. google/github/gitlab groups enhancements, redirect-domain-whitelist, other bits), and made a couple of releases with decent changelogs and binary builds at my fork: https://github.com/ploxiln/oauth2_proxy/releases
Thanks @ploxiln ! Could you push an image to Docker hub?
EDITED (I don't want to spam this issue too much)
Fixed link to my fork's docker image info: https://hub.docker.com/r/ploxiln/oauth2_proxy (it's also mentioned in the README at my fork)
Further discussion of my fork should probably go in issues at my fork. Also note that the "pusher" fork will probably soon be the central/community repo, particularly when it transitions to CNCF.
For those interested I have an update on the progress of the Pusher fork.
- I have got to the stage where I am happy with the migration work (although if anyone would like to review the changes I have made please feel free oauth2-proxy/oauth2-proxy#7)
- Once the migration work has been merged I will create a
v3.0.0release on the Pusher fork to distinguish where the migration was made and start accepting functionality PRs no top of this release - I am still on the look-out to add some maintainers to the repository. For the moment all opened PRs will request the pusher/cloud-team for review but if anyone else is interested in being given review/merge permissions, please email me
joel[at]pusher.com - I have created a new PR (#684) to add an archival notice to this repo which notes the buzzfeed, openshift and pusher forks, this will need reviewing and hopefully merging by someone from bitly (Could @russtacular please help with this?)
- I spoke with several members of the CNCF TOC before christmas about the project and they agree that the project could become a sandbox project with them but some work will need to be done before this can happen. In particular it will need a small amount of co-operation from Bitly so I'd like to initiate a conversation with someone from Bitly about whether they support the idea of transferring the project to the CNCF before I put any further effort into this, @russtacular could you confirm who would be best to talk to about this?
For interested parties, the new v3.0.0 release has now been merged and I will now start working on migrating PRs and issues over to the Pusher fork as and when I have time
Thanks! Did you see the v3.0.0 image has a few known vulnerable libraries or alerts? The quay page 404's for me, but maybe they're visible to you?
https://quay.io/repository/pusher/oauth2_proxy?tag=latest&tab=tags
For interested parties, the new
v3.0.0release has now been merged and I will now start working on migrating PRs and issues over to the Pusher fork as and when I have time
@JoelSpeed Great work! Looking forward to switching to the Pusher version. Do you know when you will merge in the changes from your fork such as OIDC session refresh?
Thanks! Did you see the v3.0.0 image has a few known vulnerable libraries or alerts? The quay page 404's for me, but maybe they're visible to you?
Noted, they are also 404'ing for me so I will try and look into this, I suspect they are vulnerabilities in the debian base image we are using
@JoelSpeed Great work! Looking forward to switching to the Pusher version. Do you know when you will merge in the changes from your fork such as OIDC session refresh?
Working on that this week! See oauth2-proxy/oauth2-proxy#14
I recently released pomerium. Pomerium may be a good fit for new users, or those okay with significant breaking changes from oauth2_proxy.
Like oauth2_proxy, pomerium is a reverse proxy but has additional goals of supporting dynamic policy, and identity/device aware access control similar to BeyondCorp.
@desimone Hi, Pomerium looks nice, especially in terms of code quality and structure. I do miss a few features (e.g. a provider for GitLab) but would be willing to contribute them. Is there a Gitter/Slack/similar chat to discuss things?
Hey Everyone! There are several good forks out there. We recommend looking at them and using them! I have listed out the ones that I found in this list and will add them to the README redirecting people there.
@apriendeau I already have a PR open to add a notice that this repo is archived and list maintained forks, do you have the ability to review it? #684
@JoelSpeed Thanks for saving me the effort! It has been merged and I am going to lock this conversation 👍