Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Request] Cryostat3 auth proxies should not pass user credentials/tokens to upstreams #838

Closed
andrewazores opened this issue Jun 4, 2024 · 0 comments
Assignees
Labels

Comments

@andrewazores
Copy link
Member

Describe the feature

https://github.com/openshift/oauth-proxy/

  -pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
  -pass-user-bearer-token: pass OAuth access token received from the client to upstream via X-Forwarded-Access-Token header
  -pass-basic-auth: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true)

https://oauth2-proxy.github.io/oauth2-proxy/configuration/overview

--pass-access-token	bool	pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with --set-xauthrequest this adds the X-Auth-Request-Access-Token header to the response	false
--pass-authorization-header	bool	pass OIDC IDToken to upstream via Authorization Bearer header	false
--pass-basic-auth	bool	pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream	true

these flags should be explicitly disabled if the upstreams (Cryostat, Grafana dashboard, storage) do not have a use for them.

Anything other information?

No response

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
No open projects
Status: Done
Development

No branches or pull requests

2 participants