Comments (4)
Note that the HTTP/1.1 specification states that (https://www.rfc-editor.org/rfc/rfc2616#section-10.3.3):
RFC 1945 and RFC 2068 specify that the client is not allowed to change the method on the redirected request. However, most existing user agent implementations treat 302 as if it were a 303 response, performing a GET on the Location field-value regardless of the original request method. The status codes 303 and 307 have been added for servers that wish to make unambiguously clear which kind of reaction is expected of the client.
So it seems that 307 is simply an addition to the spec because every browser/user-agent is not correctly processing 302 (i.e. they change the HTTP method to GET
). So 307 is processed how 302 "should" be processed, redirect but don't change the HTTP method.
from gloo.
@edubonifs I assume this is with OAuth Authorization Code Flow, right?
from gloo.
Yes @DuncanDoyle , OAuth Authorization Code Flow
from gloo.
Reproducer: https://github.com/DuncanDoyle/ge-gloo-9231
AFAICT, the redirect we do in the "dance" with the IdP (Keycloak in the reproducer) store the endpoint to redirect to in the state
JWT. We don't store which HTTP method was originally used for the request. Another potential problem is that, even if we would be able to redirect with the correct method (e.g. a POST
in this example), also the original data that was send on the POST
request needs to be stored in the state
JWT. And this could probably introduce a number of issues:
- We could send sensitive data to the IdP as part of that
state
. - The
state
is sent as a query param, and therefore has limited size. The HTTPPOST
data can potentially be very large, resulting in a very large query param. - The
state
query param could contain sensitive data that could be logged in access logs if not careful.
Tbh, I don't know what the OAuth specification states about this scenario. I'm not sure if it can be supported and how ....
from gloo.
Related Issues (20)
- Envoy OpenTelemetry Extension
- Being able to set log level for Gloo Ingress Controller from Helm Chart
- 1.17 Backport %Common_duration HOT 2
- Support StatefulSessionPerRoute
- Allow management of the Envoy configuration parameter: `close_connections_on_host_set_change`.
- Gloo Gateway: Deletion of HTTPRoute does not update proxy
- Add "Front-Channel Logout" support to Gloo HOT 2
- "rate-limit" deployment fails if redis.disabled is set to "true" HOT 3
- Policy APIs (Route, VirtualHost, Listener): Support Status Reporting HOT 1
- Support per-LTS branch .trivyignore files
- Gloo Edge does not populate the identity object with the relevant data when wrapAsApiGateway is enabled HOT 1
- gRPC upstream example doesn't work
- Upgrade notes for 1.17 release
- HTTP Local RateLimit filter not honoring the tokens bucket refills HOT 1
- Defining a failover policy in an Upstream pointing to AWS Lambda function causes out-of-sync HOT 2
- Gloo APIs related to Kube Gateway API are not synced to solo-apis repo
- CurlEventuallyShouldOutput will succeed on error
- Curl results can be returned out of order
- oidcAuthorizationCode AuthConfig redirects to afterLogoutUrl instead of issuerUrl when access-token and refresh-token in Redis cache have expired HOT 1
- Support host-rewrite-header 1.16 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gloo.