Download Latest Version v7.11.0 source code.tar.gz (1.6 MB)
Email in envelope

Get an email when there's a new version of OAuth2 Proxy

Home / v7.11.0
Name Modified Size InfoDownloads / Week
Parent folder
oauth2-proxy-v7.11.0.linux-armv7.tar.gz-sha256sum.txt 2025-07-30 106 Bytes
0
oauth2-proxy-v7.11.0.linux-ppc64le-sha256sum.txt 2025-07-30 114 Bytes
0
oauth2-proxy-v7.11.0.linux-ppc64le.tar.gz-sha256sum.txt 2025-07-30 108 Bytes
0
oauth2-proxy-v7.11.0.linux-s390x-sha256sum.txt 2025-07-30 112 Bytes
0
oauth2-proxy-v7.11.0.linux-s390x.tar.gz-sha256sum.txt 2025-07-30 106 Bytes
0
oauth2-proxy-v7.11.0.windows-amd64-sha256sum.txt 2025-07-30 114 Bytes
0
oauth2-proxy-v7.11.0.windows-amd64.tar.gz-sha256sum.txt 2025-07-30 108 Bytes
0
oauth2-proxy-v7.11.0.darwin-amd64-sha256sum.txt 2025-07-30 113 Bytes
0
oauth2-proxy-v7.11.0.darwin-amd64.tar.gz-sha256sum.txt 2025-07-30 107 Bytes
0
oauth2-proxy-v7.11.0.darwin-arm64-sha256sum.txt 2025-07-30 113 Bytes
0
oauth2-proxy-v7.11.0.darwin-arm64.tar.gz-sha256sum.txt 2025-07-30 107 Bytes
0
oauth2-proxy-v7.11.0.freebsd-amd64-sha256sum.txt 2025-07-30 114 Bytes
0
oauth2-proxy-v7.11.0.freebsd-amd64.tar.gz-sha256sum.txt 2025-07-30 108 Bytes
0
oauth2-proxy-v7.11.0.linux-amd64-sha256sum.txt 2025-07-30 112 Bytes
0
oauth2-proxy-v7.11.0.linux-amd64.tar.gz-sha256sum.txt 2025-07-30 106 Bytes
0
oauth2-proxy-v7.11.0.linux-arm64-sha256sum.txt 2025-07-30 112 Bytes
0
oauth2-proxy-v7.11.0.linux-arm64.tar.gz-sha256sum.txt 2025-07-30 106 Bytes
0
oauth2-proxy-v7.11.0.linux-armv5-sha256sum.txt 2025-07-30 112 Bytes
0
oauth2-proxy-v7.11.0.linux-armv5.tar.gz-sha256sum.txt 2025-07-30 106 Bytes
0
oauth2-proxy-v7.11.0.linux-armv6-sha256sum.txt 2025-07-30 112 Bytes
0
oauth2-proxy-v7.11.0.linux-armv6.tar.gz-sha256sum.txt 2025-07-30 106 Bytes
0
oauth2-proxy-v7.11.0.linux-armv7-sha256sum.txt 2025-07-30 112 Bytes
0
oauth2-proxy-v7.11.0.windows-amd64.tar.gz 2025-07-30 18.8 MB
0
oauth2-proxy-v7.11.0.linux-armv5.tar.gz 2025-07-30 16.6 MB
0
oauth2-proxy-v7.11.0.linux-armv6.tar.gz 2025-07-30 16.6 MB
0
oauth2-proxy-v7.11.0.linux-armv7.tar.gz 2025-07-30 16.6 MB
0
oauth2-proxy-v7.11.0.linux-ppc64le.tar.gz 2025-07-30 17.4 MB
0
oauth2-proxy-v7.11.0.linux-s390x.tar.gz 2025-07-30 18.1 MB
0
oauth2-proxy-v7.11.0.darwin-amd64.tar.gz 2025-07-30 18.6 MB
0
oauth2-proxy-v7.11.0.darwin-arm64.tar.gz 2025-07-30 17.5 MB
0
oauth2-proxy-v7.11.0.freebsd-amd64.tar.gz 2025-07-30 18.5 MB
0
oauth2-proxy-v7.11.0.linux-amd64.tar.gz 2025-07-30 18.6 MB
0
oauth2-proxy-v7.11.0.linux-arm64.tar.gz 2025-07-30 17.3 MB
0
README.md 2025-07-30 3.0 kB
0
v7.11.0 source code.tar.gz 2025-07-30 1.6 MB
0
v7.11.0 source code.zip 2025-07-30 1.9 MB
2 2 weekly downloads
Totals: 36 Items   198.2 MB 2

Release Highlights

  • 🏢 Support for SourceHut (sr.ht) provider
  • 🔍️ Support for more fine-grained control over the google admin-sdk scopes and optional google groups
  • 🐛 Squashed some bugs

Important Notes

Firstly, fixed critical vulnerability where skip_auth_routes regex patterns matched against the full request URI (path + query parameters) instead of just the path, allowing authentication bypass attacks.

Secondly, fixed double-escaping of $ in regexes for Alpha Config upstreams path and rewriteTargets:

:::yaml
# Before
upstreams:
  - id: web
    path: ^/(.*)$$
    rewriteTarget: /$$1

# After
upstreams:
  - id: web
    path: ^/(.*)$
    rewriteTarget: /$1

Breaking Changes

If your configuration relies on matching query parameters in skip_auth_routes patterns, you must update your regex patterns to match paths only. Review all skip_auth_routes entries for potential impact.

Example of affected configuration:

:::yaml
# This pattern previously matched both:
# - /api/foo/status (intended)
# - /api/private/sensitive?path=/status (bypass - now fixed)
skip_auth_routes: ["^/api/.*/status"]

For detailed information, migration guidance, and security implications, see the security advisory.

Changes since v7.10.0

  • #2615 feat(cookies): add option to set a limit on the number of per-request CSRF cookies oauth2-proxy sets (@bh-tt)
  • #2605 fix: show login page on broken cookie (@Primexz)
  • #2743 feat: allow use more possible google admin-sdk api scopes (@BobDu)
  • #2359 feat: add SourceHut (sr.ht) provider(@bitfehler)
  • #2524 fix: regex substitution for $ signs in upstream path handling before running envsubst (@dashkan / @tuunit)
  • #3104 feat(cookie): add feature support for cookie-secret-file (@sandy2008)
  • #3055 feat: support non-default authorization request response mode also for OIDC providers (@stieler-it)
  • #3138 feat: make google_groups argument optional when using google provider (@sourava01)
  • #3093 feat: differentiate between "no available key" and error for redis sessions (@nobletrout)
  • GHSA-7rh7-c77v-6434 fix: skip_auth_routes bypass through query parameter inclusion
Source: README.md, updated 2025-07-30