-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
-skip-auth-regex flag does not work when using a redirect #53
Comments
I think more explanation is needed. It sounds like you're using the If the user tries to access (or follows a link to) example.com/actual/app and it is not whitelisted, then oauth2_proxy returns a 40x for the auth_request, and nginx redirects to /oauth2/sign_in or /oauth2/start?rd=... and they have to sign in before being redirected to /actual/app. However, if example.com/actual/app is whitelisted, they should never get the redirect, they should go right through on the first attempt. |
So what we are seeing in the logs is that whilst we set the pattern to be, for example, When using this parameter with the Kubernetes Ingress Controller it would mean that it needs to check the |
Ah, right, if doing |
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
The -skip-auth-regex flag values are only validated against the request path and not the rd= path
Expected Behavior
If using with redirects, the path to be validated should be the redirect path
Current Behavior
When integrated with nginx-controller as part of kubernetes, the path will also be the value of the auth path such as
/dev/oauth/auth
which never matches the redirect path of the application being protected.Possible Solution
Alter the IsWhitelistedRequest() method to handle passing in redirect path instead of
req.URL.Path
if the request has a redirect. Potentially usep.GetRedirect(req)
to determine if a redirect is availableYour Environment
The text was updated successfully, but these errors were encountered: