Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

/signin does not pass through any redirect URL #400

Open
colemickens opened this issue Jun 1, 2017 · 7 comments
Open

/signin does not pass through any redirect URL #400

colemickens opened this issue Jun 1, 2017 · 7 comments

Comments

@colemickens
Copy link

I am using oauth2_proxy with nginx + auth_request. But, virtually always, the callback success drops me on / rather than on the actual place I was originally going.

It doesn't seem like the X-Auth-Request-Url header is being handled correctly possibly, or at least the handoff between the sign_in and start doesn't seem to work.

The only way I've gotten this to work is by making the 401 redirect to https://auth.mydomain.tld/oauth2/start?rd=https://whatever.mydomain.tld/realpath (note that it says start instead of sign_in.)
@ploxiln
Copy link
Contributor

ploxiln commented Jun 1, 2017

Works for me. How much did your initial attempt differ from

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;
    ... serve actual content ...
  }

(notice X-Auth-Request-Redirect instead of X-Auth-Request-Url as you wrote)

@vic3lord
Copy link

vic3lord commented Jun 4, 2017

Hi,
I'm using kubernetes nginx ingress with signin-url points to bot /start and /sign_in I do not get to the original URL either.

@madmod
Copy link

madmod commented Dec 1, 2017

For me /sign_in would not work, but /start did. (I'm using my own fork of #464.)

@iain-buclaw-sociomantic
Copy link

Still doesn't seem to work.

auth_request /oauth2/auth;
error_page 401 = /oauth2/start;

location = /oauth2/auth {
  internal
  proxy_pass http://127.0.0.1:4180;
  proxy_set_header X-Auth-Request-Redirect $request_uri;
}

location /oauth2/ {
  auth_request off;
  proxy_pass http://127.0.0.1:4180;
}

@ploxiln
Copy link
Contributor

ploxiln commented Jan 2, 2018

Currently,

  • only /sign_in looks for the header X-Auth-Request-Redirect
  • only /start looks for the param rd

So if you want to set error_page to /start, you could instead set it to /start?rd=$request_uri

@alikhil
Copy link

alikhil commented May 16, 2018

I had the same problem with a redirection from https://auth.example.com to https://app.example.com and I spent whole day solving it.

The problem was in following lines of code:

oauth2_proxy/oauthproxy.go

Lines 565 to 567 in a94b0a8

if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
redirect = "/"
}

When oauth2_proxy receives callback it checks the redirect URL to be relative own domain. Seems to be it done for security reasons. But anyway there are at least two PRs(#461, #464) that created to solve this problem and none of them not merged yet.

For now, the only solution is to apply one of the PRs by hand to HEAD and build a binary.

P.S.
If you are using docker containers you can temporarily use alikhil/oauth2_proxy:2.2.2 image which I build for myself from own fork.

@Stono
Copy link

Stono commented Jun 12, 2018

You my friend @alikhil are a legend, thanks

@osterman osterman mentioned this issue Aug 6, 2018
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@colemickens @ploxiln @madmod @Stono @vic3lord @alikhil @iain-buclaw-sociomantic