Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC support for a dynamic redirect_url based on proxy/config #7042

Closed
Tracked by #8745
jdconti opened this issue May 25, 2021 · 0 comments · Fixed by #12054
Closed
Tracked by #8745

OIDC support for a dynamic redirect_url based on proxy/config #7042

jdconti opened this issue May 25, 2021 · 0 comments · Fixed by #12054
Assignees
@Joerger
Labels
c-ju Internal Customer Reference feature-request Used for new features in Teleport, improvements to current should be #enhancements networking Network connectivity features/problems scale Changes required to achieve 100K nodes per cluster.

Comments

@jdconti
Copy link

jdconti commented May 25, 2021

What

What would you like Teleport to do differently? The current OIDC implementation allows a single redirect_url for the entire cluster (e.g. proxy.example.com). This works fine when all proxies are behind a single load balancer or you're using something like DNS views so all initiating sessions and OIDC callbacks hit the same proxy.example.com. However, this breaks down when you have multiple proxies which are NOT behind a single load balancer / FQDN (for latency or other reasons). It would be helpful to have either the redirect_url automatically populated by public_addr or hostname of the proxy which initiated the OIDC session OR have a redirect_url definable per-proxy in the proxy section of each proxies config.

How

How would you implement this? This can be addressed with a default behavior of using the initiating proxy as the redirect_url and/or override the redirect_url per-proxy in the config.

Why

Why do you need this? This change routes the OIDC callback to the appropriate proxy and removes any reliance on external dependencies like DNS views, OIDC routing apps, 301 redirects, etc...

Workaround

If a workaround exists, please include it:

The current workaround uses nginx with the geoip module and a 301 based on location. However, we'd like to avoid supporting this external dependency long-term. Also, the current implementation of this workaround breaks down when you have users which want to use a proxy outside their region (since the callback would be 301'd to their regional proxy and result in a CSRF token mismatch)
@jdconti jdconti added the feature-request Used for new features in Teleport, improvements to current should be #enhancements label May 25, 2021
@russjones russjones added networking Network connectivity features/problems scale Changes required to achieve 100K nodes per cluster. c-ju Internal Customer Reference labels May 26, 2021
@russjones russjones added the A0 label Jun 30, 2021
@russjones russjones mentioned this issue Oct 26, 2021
Open
14 tasks
@Joerger Joerger mentioned this issue Apr 19, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Joerger Joerger

Labels
c-ju Internal Customer Reference feature-request Used for new features in Teleport, improvements to current should be #enhancements networking Network connectivity features/problems scale Changes required to achieve 100K nodes per cluster.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

OIDC multiple redirect URLs gravitational/teleport
3 participants
@russjones @jdconti @Joerger