Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

Is it possible to use wildcard subdomains in combination with GitHub as OAuth provider? #550

Open
simonvanderveldt opened this issue Feb 16, 2018 · 7 comments
Open

Is it possible to use wildcard subdomains in combination with GitHub as OAuth provider? #550

simonvanderveldt opened this issue Feb 16, 2018 · 7 comments

Comments

@simonvanderveldt
Copy link

I was wondering if oauth2_proxy in combination with GitHub as Oauth provider allows the possibility of using wildcard subdomains for a single GitHub Oauth app?

AFAIK that's most of the time done through the state arg, but I don't think there's a way to add custom values to state at the moment.

Also, the wildcard/whitelisted subdomains functionality from #464 doesn't seem to work for this use case, probably because github always redirects to the Authorization callback URL, which is not subdomain specific.

Is this simply not possible or am I missing something?
@JoelSpeed
Copy link
Contributor

The work in #464 is for using one oauth2_proxy to protect multiple internal websites.

You are correct indeed that GithHub will only let you set one redirect URL and that should be the URL of your oauth2_proxy. To then protect multiple internal sites you need to start the authentication flow by directing users to https://oauth2.yourdomain.com/oauth/start?rd=https://subdomain.yourdomain.com (when you have the whitelist-domain set as .yourdomain.com)

We do this within our Kubernetes Ingress so I can't really advise how else you might do this if that isn't your use case. Although, ig you put Nginx in front of any website you want to protect and use the auth request method you should be able to protect multiple internal sites with a single oauth2_proxy.

@simonvanderveldt
Copy link
Author

@JoelSpeed Thx! I'll give the code in your PR a try.

@simonvanderveldt
Copy link
Author

You are correct indeed that GithHub will only let you set one redirect URL and that should be the URL of your oauth2_proxy. To then protect multiple internal sites you need to start the authentication flow by directing users to https://oauth2.yourdomain.com/oauth/start?rd=https://subdomain.yourdomain.com (when you have the whitelist-domain set as .yourdomain.com)

We do this within our Kubernetes Ingress so I can't really advise how else you might do this if that isn't your use case. Although, ig you put Nginx in front of any website you want to protect and use the auth request method you should be able to protect multiple internal sites with a single oauth2_proxy.

@JoelSpeed Trying to understand the flow you currently have: Does the Kubernetes ingress you use redirect (301?) to https://oauth2.yourdomain.com/oauth/start?rd=https://subdomain.yourdomain.com and the flow starts from there?
If so, how can the user access the app running on the subdomain since nothing is proxying it?

Or does the Kubernetes ingress do the equivalent of nginx's auth_request and send of a call to oauth2_proxy? If so to which url/hostname? The publicly accessible https://oauth2.yourdomain.com/oauth/auth isn't going to work, right? And where would you then pass the redirect to https://subdomain.yourdomain.com in that case?

@JoelSpeed
Copy link
Contributor

@simonvanderveldt Our ingress object proxies to the app as it normally would with any service.

To protect it with the oauth_proxy we simple add the following annotations to the ingress object and as you say, it uses nginx's auth_request directive.

We have the oauth2_proxy publicly accessible at https://auth.yourdomain.com/oauth2/ but it doesn't ever actually do any proxying, we just use the auth and start endpoints to check if the user is presently authenticated and then redirect them if not.

Note that we are using the Nginx ingress controller for this, I don't think other controllers support these annotations out of the box

  annotations:
    ingress.kubernetes.io/auth-url: "https://auth.yourdomain.com/oauth2/auth"
    ingress.kubernetes.io/auth-signin: "https://auth.yourdomain.com/oauth2/start?rd=https://$host$request_uri"

@simonvanderveldt
Copy link
Author

@JoelSpeed Awesome, thanks a lot!
I'll have a look at the nginx ingress controller. It seems auth_request doesn't support URL's by default, will have a look into how that's solved with the ingress controller.

@MaksymBilenko
Copy link

@JoelSpeed I've tried your way but having issue with cyclic redirects (Github oauth2).
Did you had similar issue?

github:
Homepage URL: auth.mydomain.com/oauth
Authorization callback URL: auth.mydomain.com/oauth/callback

When trying to auth dashboard.mydomain.com with your ingress annotations getting cyclic redirects after Github auth

@MaksymBilenko
Copy link

Managed to make it work
The issue was that I have auth url via internal k8s service nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.kube-system.svc.cluster.local:4180/oauth2/auth
Fixed this issue by adding --cookie-domain=mydomain.com to oauth2-proxy args

@dguendisch dguendisch mentioned this issue May 15, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@simonvanderveldt @MaksymBilenko @JoelSpeed