Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

expose redirect uri to oidc API #2370

Closed
wants to merge 2 commits into from
Closed

expose redirect uri to oidc API #2370

wants to merge 2 commits into from

Conversation

zhaohuabing
Copy link
Member

@zhaohuabing zhaohuabing commented Dec 28, 2023
edited
Loading

What this PR does / why we need it:

The current OIDC implementation uses a fixed redirect url: /oauth2/callback. It causes problem if this url doesn't match the HTTPRoute because the oauth2 filter can not receive the callback form the OIDC provider.

This PR exposes redirect uri to oidc API to make it possible to set the redirect uri to match the HTTPRoute url. For example:

HTTPRoute

kind: HTTPRoute
metadata:
  name: backend
spec:
  hostnames:
  - www.example.com
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: eg
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /    # the current default redirect uri will be caught by this route, which has no oauth2 filter in its configuration.
    backendRefs:
    - group: ""
      kind: Service
      name: backend
      port: 3000
  - matches:
    - path:
        type: PathPrefix
        value: /secret-page
    backendRefs:
    - group: ""
      kind: Service
      name: backend
      port: 3000

SecurityPolicy

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: oidc-example
spec:
  oidc:
    # set redirect_uri to `/secret-page/oauth2/callback` to make sure the redirect from the OIDC provider can reach the correct HTTPRoute 
    redirect_uri: /secret-page/oauth2/callback 
    clientID: 250344188863-uve9br9mtrj05j2tfn8ls7n3fhemg3sr.apps.googleusercontent.com
    clientSecret:
      group: ""
      kind: Secret
      name: my-app-client-secret
    provider:
      issuer: https://accounts.google.com
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: backend

fix: #2326

@zhaohuabing zhaohuabing requested a review from a team as a code owner December 28, 2023 07:27
@zhaohuabing zhaohuabing marked this pull request as draft December 28, 2023 07:28
@codecov Codecov
Copy link

codecov bot commented Dec 28, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (38a3399) 64.66% compared to head (8133ba4) 64.66%.

❗ Current head 8133ba4 differs from pull request most recent head 6ca792e. Consider uploading reports for the commit 6ca792e to get more accurate results

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2370   +/-   ##
=======================================
  Coverage   64.66%   64.66%           
=======================================
  Files         114      114           
  Lines       16616    16631   +15     
=======================================
+ Hits        10744    10755   +11     
- Misses       5195     5197    +2     
- Partials      677      679    +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zhaohuabing zhaohuabing closed this Jan 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SecurityPolicy -> HTTPRoute Auth mismatch / broken Envoy config
1 participant
@zhaohuabing