Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

Allow redirect URL to be passed in the query string. #427

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

johnbelamaric
Copy link

When using the Kubernetes nginx ingress controller, the sign_in page is reached via a 302 redirect, which means that we cannot use the X-Auth-Request-Redirect header. Instead, we need to be able to include the URL in the query string.

@aledbf
Copy link

aledbf commented Aug 17, 2017

Any update on this?

@ploxiln
Copy link
Contributor

ploxiln commented Aug 17, 2017

  • your kubernetes thing could just 302 redirect to .../oauth2/start?rd=... instead
  • if you really want this here, you should use GetRedirect() here (it does a bit more to prevent "open-redirects")

@aledbf
Copy link

aledbf commented Aug 17, 2017

@ploxiln is possible a redirect to a different host?

@ploxiln
Copy link
Contributor

ploxiln commented Aug 17, 2017

see #399

@aledbf
Copy link

aledbf commented Aug 17, 2017

@ploxiln ok, so the recommendation is to not allow "external" redirects or adding the whitelist domain flag is ok?

@ploxiln
Copy link
Contributor

ploxiln commented Aug 17, 2017

A domain whitelist feature would be as good as the current status-quo from a security/phishing perspective. It's just arbitrary (completely unrestricted) redirect domain which is problematic.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants