version 2.7.0

Security related:

• #50 fix another open-redirect vulnerability: GHSA-j7px-6hwj-hpjg

Potentially compatibility-breaking changes:

• #52 The interpretation of cookie-secret was fixed, and may reject a secret that is not valid for an AES key used for encrypting tokens (for cookie-refresh or pass-access-token). It no longer adds base64 padding after base64 decode (in addition to before base64 decode), which accidentally made cookie-secret seem to be the appropriate length.
• #57 Rename some flags and config-file options for consistency:
  • flags: --tls-cert to --tls-cert-file, --tls-key to --tls-key-file
  • config: proxy-prefix to proxy_prefix, google_group to google_groups, github_team to github_teams
  • flag --github-team should now be passed multiple times for multiple teams, rather than taking a single comma-separated value, and --github-team= now means a team named "" instead of no-team-required.
• #55 remove recently-added option/flag xheaders, and replace with new option/flag real-client-ip-header to choose between X-Real-IP or X-Forwarded-For or disabled

Features:

• #45 new option/flag banner to override default sign-in banner html
• #54 new option/flag prompt to replace approval_prompt param to provider
• #56, #58 new option/flag force-https to redirect user requests from http to https (based on X-Forwarded-Proto header because oauth2_proxy listens for either http or https but never both, yet)
• #46 add header Cache-Control: no-store to auth-flow-related responses to prevent inappropriate browser caching

Fixes and refinements:

• #47 websockets now respect ssl-insecure-skip-verify option
• #43 fix sign_in page url fragment after reload in Firefox
• #49 log reason when redirect (to application) URL is invalid
• #51 more precise cookie size check/warning
• #44 clean-up validator tests
• #53 switch from Travis-CI to GitHub Actions for CI, minor test fixes for go-1.14
• update README links, cookie-secret generate example