Redirect to relative subpath for approval, relative parent path on success #13569
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
liggitt
changed the title
deads2k
reviewed
Mar 29, 2017
pkg/auth/oauth/handlers/grant.go
Outdated
| reqURL := &(*req.URL) | ||
| reqURL.Host = "" | ||
| reqURL.Scheme = "" | ||
| reqURL.Path = path.Join("..", lastSegment) |
There was a problem hiding this comment.
Why go up a level and back down to the same level?
There was a problem hiding this comment.
gets rid of trailing slash
There was a problem hiding this comment.
Use path.Base or strings.TrimRight? Regardless, probably needs a comment.
There was a problem hiding this comment.
you misunderstand, it gets rid of the trailing slash in the browser... if you just redirect to ., you'd get /oauth/authorize/
deads2k
reviewed
Mar 29, 2017
| ), | ||
| ) | ||
| } | ||
| if strings.HasSuffix(url.Path, "/") { |
There was a problem hiding this comment.
These didn't work before either?
There was a problem hiding this comment.
they didn't work for grant approval flows (which realistically, no one hit before jenkins OAuth), they could have worked for /oauth/authorize proxying
|
[test] |
liggitt
changed the title
|
LGTM 👍 |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/556/) (Base Commit: f0670df) (Image: devenv-rhel7_6115) |
|
Evaluated for origin merge up to f42b363 |
|
[test] |
|
Evaluated for origin test up to f42b363 |
|
continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/556/) (Base Commit: f0670df) |
enj
added a commit
to enj/openshift-docs
that referenced
this pull request
May 3, 2018
This change moves the docs away from the frontend based RequestHeaderIdentityProvider to the backend based BasicAuthPasswordIdentityProvider. This is because the LDAP docs assume a password based flow which requires the RequestHeaderIDP to support form based login. In 3.3 and earlier (before the grant approval flow existed), this form based login occurred in a single step that did not require a session. The grant flow changes this flow to require more than one step, necessitating the need for a session based approach. Apache does not have a form module that supports sessions, thus we cannot use the RequestHeaderIDP. By moving to the BasicAuthPasswordIDP, we leverage OpenShift's ability to manage sessions directly. This changes the network flow from: RequestHeaderIDP: User -> Apache -> OpenShift to: BasicAuthPasswordIDP: User -> OpenShift -> Apache From the perspective of Apache, the entire flow occurs in one step and thus Apache does not need to maintain a session. This allows users to continue to use their investment in SSSD and PAM to have a robust LDAP setup that supports automatic failover. There is no specific requirement on which PAM provider is used; these docs simply present one specific approach. This does have the negative side effect of making OpenShift see user's passwords. However, any individual that is concerned by this should instead use the RequestHeaderIdentityProvider with SAML and GSSAPI to eliminate the need for users to type passwords at all. This is required for OCP 3.4+ Fixes bug: Bug 1545548 Caused by fixing: Bug 1421629 Bug 1434983 Bug 1439221 Bug 1439222 via openshift/origin#13569 Signed-off-by: Monis Khan <mkhan@redhat.com>
kalexand-rh
pushed a commit
to kalexand-rh/openshift-docs
that referenced
this pull request
May 11, 2018
This change moves the docs away from the frontend based RequestHeaderIdentityProvider to the backend based BasicAuthPasswordIdentityProvider. This is because the LDAP docs assume a password based flow which requires the RequestHeaderIDP to support form based login. In 3.3 and earlier (before the grant approval flow existed), this form based login occurred in a single step that did not require a session. The grant flow changes this flow to require more than one step, necessitating the need for a session based approach. Apache does not have a form module that supports sessions, thus we cannot use the RequestHeaderIDP. By moving to the BasicAuthPasswordIDP, we leverage OpenShift's ability to manage sessions directly. This changes the network flow from: RequestHeaderIDP: User -> Apache -> OpenShift to: BasicAuthPasswordIDP: User -> OpenShift -> Apache From the perspective of Apache, the entire flow occurs in one step and thus Apache does not need to maintain a session. This allows users to continue to use their investment in SSSD and PAM to have a robust LDAP setup that supports automatic failover. There is no specific requirement on which PAM provider is used; these docs simply present one specific approach. This does have the negative side effect of making OpenShift see user's passwords. However, any individual that is concerned by this should instead use the RequestHeaderIdentityProvider with SAML and GSSAPI to eliminate the need for users to type passwords at all. This is required for OCP 3.4+ Fixes bug: Bug 1545548 Caused by fixing: Bug 1421629 Bug 1434983 Bug 1439221 Bug 1439222 via openshift/origin#13569 Signed-off-by: Monis Khan <mkhan@redhat.com>
kalexand-rh
pushed a commit
to kalexand-rh/openshift-docs
that referenced
this pull request
Jun 11, 2018
This change moves the docs away from the frontend based RequestHeaderIdentityProvider to the backend based BasicAuthPasswordIdentityProvider. This is because the LDAP docs assume a password based flow which requires the RequestHeaderIDP to support form based login. In 3.3 and earlier (before the grant approval flow existed), this form based login occurred in a single step that did not require a session. The grant flow changes this flow to require more than one step, necessitating the need for a session based approach. Apache does not have a form module that supports sessions, thus we cannot use the RequestHeaderIDP. By moving to the BasicAuthPasswordIDP, we leverage OpenShift's ability to manage sessions directly. This changes the network flow from: RequestHeaderIDP: User -> Apache -> OpenShift to: BasicAuthPasswordIDP: User -> OpenShift -> Apache From the perspective of Apache, the entire flow occurs in one step and thus Apache does not need to maintain a session. This allows users to continue to use their investment in SSSD and PAM to have a robust LDAP setup that supports automatic failover. There is no specific requirement on which PAM provider is used; these docs simply present one specific approach. This does have the negative side effect of making OpenShift see user's passwords. However, any individual that is concerned by this should instead use the RequestHeaderIdentityProvider with SAML and GSSAPI to eliminate the need for users to type passwords at all. This is required for OCP 3.4+ Fixes bug: Bug 1545548 Caused by fixing: Bug 1421629 Bug 1434983 Bug 1439221 Bug 1439222 via openshift/origin#13569 Signed-off-by: Monis Khan <mkhan@redhat.com>
kalexand-rh
pushed a commit
to kalexand-rh/openshift-docs
that referenced
this pull request
Jun 11, 2018
…dentityProvider This change moves the docs away from the frontend based RequestHeaderIdentityProvider to the backend based BasicAuthPasswordIdentityProvider. This is because the LDAP docs assume a password based flow which requires the RequestHeaderIDP to support form based login. In 3.3 and earlier (before the grant approval flow existed), this form based login occurred in a single step that did not require a session. The grant flow changes this flow to require more than one step, necessitating the need for a session based approach. Apache does not have a form module that supports sessions, thus we cannot use the RequestHeaderIDP. By moving to the BasicAuthPasswordIDP, we leverage OpenShift's ability to manage sessions directly. This changes the network flow from: RequestHeaderIDP: User -> Apache -> OpenShift to: BasicAuthPasswordIDP: User -> OpenShift -> Apache From the perspective of Apache, the entire flow occurs in one step and thus Apache does not need to maintain a session. This allows users to continue to use their investment in SSSD and PAM to have a robust LDAP setup that supports automatic failover. There is no specific requirement on which PAM provider is used; these docs simply present one specific approach. This does have the negative side effect of making OpenShift see user's passwords. However, any individual that is concerned by this should instead use the RequestHeaderIdentityProvider with SAML and GSSAPI to eliminate the need for users to type passwords at all. This is required for OCP 3.4+ Fixes bug: Bug 1545548 Caused by fixing: Bug 1421629 Bug 1434983 Bug 1439221 Bug 1439222 via openshift/origin#13569 Signed-off-by: Monis Khan <mkhan@redhat.com>
kalexand-rh
pushed a commit
to kalexand-rh/openshift-docs
that referenced
this pull request
Jun 11, 2018
…ntityProvider This change moves the docs away from the frontend based RequestHeaderIdentityProvider to the backend based BasicAuthPasswordIdentityProvider. This is because the LDAP docs assume a password based flow which requires the RequestHeaderIDP to support form based login. In 3.3 and earlier (before the grant approval flow existed), this form based login occurred in a single step that did not require a session. The grant flow changes this flow to require more than one step, necessitating the need for a session based approach. Apache does not have a form module that supports sessions, thus we cannot use the RequestHeaderIDP. By moving to the BasicAuthPasswordIDP, we leverage OpenShift's ability to manage sessions directly. This changes the network flow from: RequestHeaderIDP: User -> Apache -> OpenShift to: BasicAuthPasswordIDP: User -> OpenShift -> Apache From the perspective of Apache, the entire flow occurs in one step and thus Apache does not need to maintain a session. This allows users to continue to use their investment in SSSD and PAM to have a robust LDAP setup that supports automatic failover. There is no specific requirement on which PAM provider is used; these docs simply present one specific approach. This does have the negative side effect of making OpenShift see user's passwords. However, any individual that is concerned by this should instead use the RequestHeaderIdentityProvider with SAML and GSSAPI to eliminate the need for users to type passwords at all. This is required for OCP 3.4+ Fixes bug: Bug 1545548 Caused by fixing: Bug 1421629 Bug 1434983 Bug 1439221 Bug 1439222 via openshift/origin#13569 Signed-off-by: Monis Khan <mkhan@redhat.com>
kalexand-rh
pushed a commit
to kalexand-rh/openshift-docs
that referenced
this pull request
Jun 11, 2018
…entityProvider This change moves the docs away from the frontend based RequestHeaderIdentityProvider to the backend based BasicAuthPasswordIdentityProvider. This is because the LDAP docs assume a password based flow which requires the RequestHeaderIDP to support form based login. In 3.3 and earlier (before the grant approval flow existed), this form based login occurred in a single step that did not require a session. The grant flow changes this flow to require more than one step, necessitating the need for a session based approach. Apache does not have a form module that supports sessions, thus we cannot use the RequestHeaderIDP. By moving to the BasicAuthPasswordIDP, we leverage OpenShift's ability to manage sessions directly. This changes the network flow from: RequestHeaderIDP: User -> Apache -> OpenShift to: BasicAuthPasswordIDP: User -> OpenShift -> Apache From the perspective of Apache, the entire flow occurs in one step and thus Apache does not need to maintain a session. This allows users to continue to use their investment in SSSD and PAM to have a robust LDAP setup that supports automatic failover. There is no specific requirement on which PAM provider is used; these docs simply present one specific approach. This does have the negative side effect of making OpenShift see user's passwords. However, any individual that is concerned by this should instead use the RequestHeaderIdentityProvider with SAML and GSSAPI to eliminate the need for users to type passwords at all. This is required for OCP 3.4+ Fixes bug: Bug 1545548 Caused by fixing: Bug 1421629 Bug 1434983 Bug 1439221 Bug 1439222 via openshift/origin#13569 Signed-off-by: Monis Khan <mkhan@redhat.com>
kalexand-rh
pushed a commit
to kalexand-rh/openshift-docs
that referenced
this pull request
Jun 11, 2018
…entityProvider This change moves the docs away from the frontend based RequestHeaderIdentityProvider to the backend based BasicAuthPasswordIdentityProvider. This is because the LDAP docs assume a password based flow which requires the RequestHeaderIDP to support form based login. In 3.3 and earlier (before the grant approval flow existed), this form based login occurred in a single step that did not require a session. The grant flow changes this flow to require more than one step, necessitating the need for a session based approach. Apache does not have a form module that supports sessions, thus we cannot use the RequestHeaderIDP. By moving to the BasicAuthPasswordIDP, we leverage OpenShift's ability to manage sessions directly. This changes the network flow from: RequestHeaderIDP: User -> Apache -> OpenShift to: BasicAuthPasswordIDP: User -> OpenShift -> Apache From the perspective of Apache, the entire flow occurs in one step and thus Apache does not need to maintain a session. This allows users to continue to use their investment in SSSD and PAM to have a robust LDAP setup that supports automatic failover. There is no specific requirement on which PAM provider is used; these docs simply present one specific approach. This does have the negative side effect of making OpenShift see user's passwords. However, any individual that is concerned by this should instead use the RequestHeaderIdentityProvider with SAML and GSSAPI to eliminate the need for users to type passwords at all. This is required for OCP 3.4+ Fixes bug: Bug 1545548 Caused by fixing: Bug 1421629 Bug 1434983 Bug 1439221 Bug 1439222 via openshift/origin#13569 Signed-off-by: Monis Khan <mkhan@redhat.com>
kalexand-rh
pushed a commit
to kalexand-rh/openshift-docs
that referenced
this pull request
Jun 11, 2018
…entityProvider This change moves the docs away from the frontend based RequestHeaderIdentityProvider to the backend based BasicAuthPasswordIdentityProvider. This is because the LDAP docs assume a password based flow which requires the RequestHeaderIDP to support form based login. In 3.3 and earlier (before the grant approval flow existed), this form based login occurred in a single step that did not require a session. The grant flow changes this flow to require more than one step, necessitating the need for a session based approach. Apache does not have a form module that supports sessions, thus we cannot use the RequestHeaderIDP. By moving to the BasicAuthPasswordIDP, we leverage OpenShift's ability to manage sessions directly. This changes the network flow from: RequestHeaderIDP: User -> Apache -> OpenShift to: BasicAuthPasswordIDP: User -> OpenShift -> Apache From the perspective of Apache, the entire flow occurs in one step and thus Apache does not need to maintain a session. This allows users to continue to use their investment in SSSD and PAM to have a robust LDAP setup that supports automatic failover. There is no specific requirement on which PAM provider is used; these docs simply present one specific approach. This does have the negative side effect of making OpenShift see user's passwords. However, any individual that is concerned by this should instead use the RequestHeaderIdentityProvider with SAML and GSSAPI to eliminate the need for users to type passwords at all. This is required for OCP 3.4+ Fixes bug: Bug 1545548 Caused by fixing: Bug 1421629 Bug 1434983 Bug 1439221 Bug 1439222 via openshift/origin#13569 Signed-off-by: Monis Khan <mkhan@redhat.com>
kalexand-rh
pushed a commit
to kalexand-rh/openshift-docs
that referenced
this pull request
Jun 11, 2018
…entityProvider This change moves the docs away from the frontend based RequestHeaderIdentityProvider to the backend based BasicAuthPasswordIdentityProvider. This is because the LDAP docs assume a password based flow which requires the RequestHeaderIDP to support form based login. In 3.3 and earlier (before the grant approval flow existed), this form based login occurred in a single step that did not require a session. The grant flow changes this flow to require more than one step, necessitating the need for a session based approach. Apache does not have a form module that supports sessions, thus we cannot use the RequestHeaderIDP. By moving to the BasicAuthPasswordIDP, we leverage OpenShift's ability to manage sessions directly. This changes the network flow from: RequestHeaderIDP: User -> Apache -> OpenShift to: BasicAuthPasswordIDP: User -> OpenShift -> Apache From the perspective of Apache, the entire flow occurs in one step and thus Apache does not need to maintain a session. This allows users to continue to use their investment in SSSD and PAM to have a robust LDAP setup that supports automatic failover. There is no specific requirement on which PAM provider is used; these docs simply present one specific approach. This does have the negative side effect of making OpenShift see user's passwords. However, any individual that is concerned by this should instead use the RequestHeaderIdentityProvider with SAML and GSSAPI to eliminate the need for users to type passwords at all. This is required for OCP 3.4+ Fixes bug: Bug 1545548 Caused by fixing: Bug 1421629 Bug 1434983 Bug 1439221 Bug 1439222 via openshift/origin#13569 Signed-off-by: Monis Khan <mkhan@redhat.com>
kalexand-rh
pushed a commit
to kalexand-rh/openshift-docs
that referenced
this pull request
Jun 11, 2018
…entityProvider This change moves the docs away from the frontend based RequestHeaderIdentityProvider to the backend based BasicAuthPasswordIdentityProvider. This is because the LDAP docs assume a password based flow which requires the RequestHeaderIDP to support form based login. In 3.3 and earlier (before the grant approval flow existed), this form based login occurred in a single step that did not require a session. The grant flow changes this flow to require more than one step, necessitating the need for a session based approach. Apache does not have a form module that supports sessions, thus we cannot use the RequestHeaderIDP. By moving to the BasicAuthPasswordIDP, we leverage OpenShift's ability to manage sessions directly. This changes the network flow from: RequestHeaderIDP: User -> Apache -> OpenShift to: BasicAuthPasswordIDP: User -> OpenShift -> Apache From the perspective of Apache, the entire flow occurs in one step and thus Apache does not need to maintain a session. This allows users to continue to use their investment in SSSD and PAM to have a robust LDAP setup that supports automatic failover. There is no specific requirement on which PAM provider is used; these docs simply present one specific approach. This does have the negative side effect of making OpenShift see user's passwords. However, any individual that is concerned by this should instead use the RequestHeaderIdentityProvider with SAML and GSSAPI to eliminate the need for users to type passwords at all. This is required for OCP 3.4+ Fixes bug: Bug 1545548 Caused by fixing: Bug 1421629 Bug 1434983 Bug 1439221 Bug 1439222 via openshift/origin#13569 Signed-off-by: Monis Khan <mkhan@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1434983
/oauth/approveto/oauth/authorize/approveLocation: authorize/approve)action="approve")Location: ../authorize)/and the proxy path not ending in/authorize)Tasks:
/oauth/authorizemust also proxy subpaths (notably/oauth/authorize/approve)/oauth/authorizemust end with.../authorize(with no trailing slash)