Added allowed-url option for secure allowance of custom redirection URLs #544
Conversation
|
This is indeed a popular request. The current best implementation might be in #464 |
|
@ploxiln thanks for a link! |
|
But, I definitely have to add a test for my implementation and add support of set an option from the environment variable, looks like many peoples need it. |
|
The implementation I linked to does support subdomain wildcard. That should cover most use cases. I don't think supporting an environment variable is important. It's important for secret values, but not for other misc config options. |
|
@ploxiln yes, you are right, I found that check. And I see that change in 'OAuthCallback' function is missed, because it has a same block with a check or redirection. |
That is a small change which adding one option - "allowed-url" which able user to set regex for validate "rd" option instead of just replacing it to '/' if it contain absolute path.
Why?
Because if you have many services on different domains (as example - kubernetes cluster with tens of services) and want to protect them, you don't want to deploy many oauth2_proxy one per domain, you want to use one oauth2_proxy and validate redirection URLs for make redirection secure.
Example of usage
Adding option
--allowed-url=.+\.internals\.example\.comwill allow you to use one proxy for all services in subdomain .internals.example.com.Is it tested?
I built a container with that change - onlinehead/oauth2_proxy:2.2.1 and tested it on my K8s cluster in pair of GitLab as Oauth provider. And looks like it working OK.
P.S. I am not sure that name of the option is right.