-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support external-auth /oauth2 #638
Labels
Comments
I looked into the nginx controller again today, It seems that its should be possible to achieve oauth proxy with a combination of oauth_proxy pod and custom backend rules (that will redirect to oauth login page, if certain cookie is missing) It seems that the oauth annotations are used to automatically generate the backend rules. |
Requirements
Demo without SSLHAProxy config$ cat /etc/haproxy/haproxy.cfg
global
lua-load auth-request.lua
defaults
mode http
timeout connect 5000
timeout client 50000
timeout server 50000
backend auth_request
server auth_request 127.0.0.1:4180
backend app
http-request lua.auth-request auth_request /oauth2/auth
http-request redirect location /oauth2/start?rd=http://voyager.appscode.ninja if ! { var(txn.auth_response_successful) -m bool }
server app 138.197.59.213:80
frontend http
bind *:80
acl acl_host hdr(host) -i voyager.appscode.ninja
acl acl_host hdr(host) -i voyager.appscode.ninja:80
acl acl_path_oauth2 path_beg /oauth2
use_backend auth_request if acl_path_oauth2 acl_host
use_backend app if acl_host Setup github oauth app
Run oauth2_proxy$ ./oauth2_proxy \
-provider=github \
-client-id=... \
-client-secret=... \
-email-domain=* \
-upstream=file:///dev/null \
-cookie-secret=secretsecret \
-cookie-secure=false Demo with SSLNotes
Generate certs
HAProxy config$ cat /etc/haproxy/haproxy.cfg
global
lua-load auth-request.lua
tune.ssl.default-dh-param 2048
defaults
mode http
timeout connect 5000
timeout client 50000
timeout server 50000
backend auth_request
server auth_request 127.0.0.1:4180
backend app
http-request lua.auth-request auth_request /oauth2/auth
http-request redirect location /oauth2/start?rd=https://voyager.appscode.ninja if ! { var(txn.auth_response_successful) -m bool }
server app 138.197.59.213:80
frontend http
bind *:80
bind *:443 ssl crt /tmp/tls.pem
redirect scheme https if !{ ssl_fc }
acl acl_host hdr(host) -i voyager.appscode.ninja
acl acl_host hdr(host) -i voyager.appscode.ninja:80
acl acl_path_oauth2 path_beg /oauth2
use_backend auth_request if acl_path_oauth2 acl_host
use_backend app if acl_host Setup github oauth app
Run oauth2_proxy$ ./oauth2_proxy \
-provider=github \
-client-id=... \
-client-secret=... \
-email-domain=* \
-upstream=file:///dev/null \
-cookie-secret=secretsecret |
|
Fixed in #954 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/external-auth/README.md
The text was updated successfully, but these errors were encountered: