Comments (12)
This is now fixed since #10 has been merged
from oauth2-proxy.
Awesome, thanks. For planning/adoption purposes, might I ask how soon we could expect to see a new Release available with this fix?
from oauth2-proxy.
There are a couple of PRs open for optimizations and bug fixes that I would like to get merged before we make a new release, hopefully this should be within the next couple of weeks
from oauth2-proxy.
@JoelSpeed I went ahead and tested this change today and the behavior isn't what I expected.
I thought this change would update oauth2_proxy so that it would simply hand out whatever redirect-url was configured. I expected this would allow me to configure oauth2_proxy with a redirect url independent of the proxyPrefix used for internal routing.
For example, I am running oauth2_proxy with the default proxy path... receiving all traffic under the /oauth
... But I wanted to give out a redirect URL with the path of an external ingress which sits out in front of the proxy (a path that oauth2_proxy never sees). Something like /myprotectedpath/oauth/callback
. When the callback comes back to my ingress at /myprotectedpath/oauth/callback
, I would rewrite the URL to /oauth/callback
before sending it on to oauth2_proxy.
But in testing and then looking at the code more closely, this change affects both the path the oauth2_proxy gives out during the oauth dance and it also updates the internal path routing within the proxy itself... So the external path and internal routing are still forced to match. In my example, oauth2_proxy would hand out the path /myprotectedpath/oauth/callback
and then also only handle the callback if it came to /myprotectedpath/oauth/callback
... while all other routes it would expect under /oauth
.
So it feels like we've ended up in a state where we have a proxy-path for only one route? Is this the expected behavior?
from oauth2-proxy.
Looking at the PR (https://github.com/pusher/oauth2_proxy/pull/10/files), I feel like the change to oauthproxy.go lines 186-188 are good because they fix the proxy to hand out whatever redirect-url was configured. But the change to oauthproxy.go line 223 is incorrect; that line should have been kept the same to keep oauth2_proxy's internal routing consistent based on the proxy path.
from oauth2-proxy.
@dt-rush Please see my comments above. What do you think?
from oauth2-proxy.
@JoelSpeed Can we re-open this issue? I really think that the PR which was merged is badly flawed.
from oauth2-proxy.
I suggest opening a PR with your suggested adjustment, and having further discussion there.
(I think you're right, btw.)
from oauth2-proxy.
@Ghazgkull Please open a PR with your suggested change as @ploxiln has suggested and I will take a look
from oauth2-proxy.
@ploxiln @JoelSpeed Oh. Derp. I just opened PR 99, but I see you guys already made the change. Cheers.
from oauth2-proxy.
nope, sorry to cause confusion, that was related to my fork, which has diverged, the fix is not in this repo
from oauth2-proxy.
@ploxiln @Ghazgkull could you take a look at #101 and verify that this is the change we need to make here?
from oauth2-proxy.
Related Issues (20)
- [Support]: <Keycloak-OIDC failed> HOT 1
- [Bug]: GitHub private repo check throwing 500 instead of 403 when user does not have access
- [Bug]: Keycloak OIDC Provider Multiple Calls to Fetch Keys to Verify JWT in Auth Header
- [Support]: Add scope field inside bearer token
- [Support]: How to configure oauth2 with kubernetes HOT 1
- Trying to implement simple Oauth2-proxy/nginx configuration HOT 3
- [Bug]: wait-for-redis fails to detect redis with default image HOT 3
- [Support]: Connection refused to Keycloak instance running in the separate container
- [Bug]: Alpha-configuration environment variables are not being replaced HOT 1
- [Bug]: local-environment example for keycloak does not run HOT 1
- [--cookie-secret-file option]: new option to ease cookie-secret rotation HOT 1
- [Bug]: CVE-2024-24786 google.golang.org/protobuf HOT 1
- [Bug]: CVE-2023-45288 golang.org/x/net HOT 3
- [Bug]: CVE-2023-45288 github.com/go-jose/go-jose/v3 HOT 2
- [upstream with basic auth]: upstream may require basic auth
- [Feature]: Include sequence diagram in the documentation
- [Feature]: Don't require email for OIDC
- [Support]: unable to verify bearer token, failed to verify token: oidc: id token issued by a different provider HOT 1
- [Feature]: User.Read scope required for Azure Provider?
- [Support]: Problem with OAuth2 and Keycloak-oidc on Kibana in a Minikube Cluster
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.