This repository has been archived by the owner on Jan 24, 2019. It is now read-only.
Added allowed-url option for secure allowance of custom redirection URLs #544
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
That is a small change which adding one option - "allowed-url" which able user to set regex for validate "rd" option instead of just replacing it to '/' if it contain absolute path.
Why?
Because if you have many services on different domains (as example - kubernetes cluster with tens of services) and want to protect them, you don't want to deploy many oauth2_proxy one per domain, you want to use one oauth2_proxy and validate redirection URLs for make redirection secure.
Example of usage
Adding option
--allowed-url=.+\.internals\.example\.com
will allow you to use one proxy for all services in subdomain .internals.example.com.Is it tested?
I built a container with that change - onlinehead/oauth2_proxy:2.2.1 and tested it on my K8s cluster in pair of GitLab as Oauth provider. And looks like it working OK.
P.S. I am not sure that name of the option is right.