Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

External redirect urls #461

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Conversation

boivie
Copy link

@boivie boivie commented Sep 30, 2017

Allows having the oauth2_proxy at e.g. https://auth.example.com and using it for several of your domains, e.g. https://app1.example.com and https://app2.example.com

You will need to whitelist your domains, or set it to "*" to allow all your domains using "--redirect-domain"

Fixes #399 and #427

In addition to the X-Auth-Request-Redirect header, which
still has precedence.

Fixes bitly#427
Allows redirection to URLs on other domains. Specify one or several
domains (including port number). You can also specify "*" if you
want to allow all redirect domains.

Fixes bitly#399
@boivie
Copy link
Author

boivie commented Sep 30, 2017

If you're using Kubernetes with "external auth" in your nginx-ingress-controller, this how you configure it:

First, the oauth2-proxy. It's important to set a correct --redirect-url, --cookie-domain and --redirect-domain. This is an example:

        - --redirect-url=https://auth.internal.example.com/oauth2/callback
        - --cookie-domain=internal.example.com
        - --redirect-domain=*

(instead of *, you can specify one domain, or specify this multiple times with multiple domains)

In your app ingress files, specify:

  annotations:
    "ingress.kubernetes.io/auth-url": "http://oauth2-proxy.kube-system.svc.cluster.local:4180/oauth2/auth"
    "ingress.kubernetes.io/auth-signin": "https://auth.internal.example.com/oauth2/sign_in?rd=https://$best_http_host$request_uri"

This is unfortunately using the variables defined in the nginx-ingress-controller as it is right now. Better support should be added to it.

@krogon-dp
Copy link

krogon-dp commented Oct 9, 2017

fixes #456

@ploxiln
Copy link
Contributor

ploxiln commented Oct 9, 2017

The "any domain" * option should probably be removed (if not, it would require a prominent disclaimer to never use it for a real deployment). However, a "any subdomain" *.domain.tld option could be useful and safe.

@JordanP
Copy link

JordanP commented Oct 17, 2017

@boivie in your example you set the --redirect-url=https://auth.internal.example.com/oauth2/callback config option to oauth2_proxy. What If I want to secure several applications with the same oauth2_proxy instance ? I guess I don't understand what 'https://auth.internal.example.com' should point to ?

I used to have a single instance with only these options, and that used to work with nginx-ingress-controller-0.9.0-beta.11:

        - --provider=google
        - --email-domain=XXX
        - --upstream=file:///dev/null
        - --http-address=0.0.0.0:4180

@janwillies
Copy link

I tested it and it works as a drop in replacement. My configuration looks exactly like @JordanP

Image is pushed to willies/oauth2_proxy-amd64:b7f9438_external-redirect-urls if someone wants to try

thanks @boivie!

@madmod
Copy link

madmod commented Dec 1, 2017

Can this please be merged? Having a single oauth proxy in Kubernetes to protect various cluster sub-domains is my primary use case. I'd rather not have to make a bunch of ingresses with URL routing or something for each subdomain I want to protect.

@madmod
Copy link

madmod commented Dec 1, 2017

Actually after looking at #464 I think that better solves my issue because I would like a wildcard sub-domain rather than needing to edit the oauth proxy settings for each new ingress I want to protect.

@landonwilkins
Copy link

+1, plz merge to avoid having to use a fork

@ploxiln
Copy link
Contributor

ploxiln commented Jan 25, 2018

I suggest the alternative implementation in #464

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

Successfully merging this pull request may close these issues.

7 participants