oauth2_proxy icon indicating copy to clipboard operation
oauth2_proxy copied to clipboard
verified publisher icon bitly

/signin does not pass through any redirect URL

Open colemickens opened this issue 8 years ago • 7 comments

I am using oauth2_proxy with nginx + auth_request. But, virtually always, the callback success drops me on / rather than on the actual place I was originally going.

It doesn't seem like the X-Auth-Request-Url header is being handled correctly possibly, or at least the handoff between the sign_in and start doesn't seem to work.

The only way I've gotten this to work is by making the 401 redirect to https://auth.mydomain.tld/oauth2/start?rd=https://whatever.mydomain.tld/realpath (note that it says start instead of sign_in.)

colemickens avatar Jun 01 '17 08:06 colemickens

Works for me. How much did your initial attempt differ from

  location /oauth2/ {
    proxy_pass       http://127.0.0.1:4180;
    proxy_set_header Host                    $host;
    proxy_set_header X-Auth-Request-Redirect $request_uri;
  }

  location / {
    auth_request /oauth2/auth;
    error_page 401 = /oauth2/sign_in;
    ... serve actual content ...
  }

(notice X-Auth-Request-Redirect instead of X-Auth-Request-Url as you wrote)

ploxiln avatar Jun 01 '17 16:06 ploxiln

Hi, I'm using kubernetes nginx ingress with signin-url points to bot /start and /sign_in I do not get to the original URL either.

vic3lord avatar Jun 04 '17 16:06 vic3lord

For me /sign_in would not work, but /start did. (I'm using my own fork of #464.)

madmod avatar Dec 01 '17 20:12 madmod

Still doesn't seem to work.

auth_request /oauth2/auth;
error_page 401 = /oauth2/start;

location = /oauth2/auth {
  internal
  proxy_pass http://127.0.0.1:4180;
  proxy_set_header X-Auth-Request-Redirect $request_uri;
}

location /oauth2/ {
  auth_request off;
  proxy_pass http://127.0.0.1:4180;
}

iain-buclaw-sociomantic avatar Jan 02 '18 20:01 iain-buclaw-sociomantic

Currently,

  • only /sign_in looks for the header X-Auth-Request-Redirect
  • only /start looks for the param rd

So if you want to set error_page to /start, you could instead set it to /start?rd=$request_uri

ploxiln avatar Jan 02 '18 20:01 ploxiln

I had the same problem with a redirection from https://auth.example.com to https://app.example.com and I spent whole day solving it.

The problem was in following lines of code:

https://github.com/bitly/oauth2_proxy/blob/a94b0a8b25e553f7333f7b84aeb89d9d18ec259b/oauthproxy.go#L565-L567

When oauth2_proxy receives callback it checks the redirect URL to be relative own domain. Seems to be it done for security reasons. But anyway there are at least two PRs(#461, #464) that created to solve this problem and none of them not merged yet.

For now, the only solution is to apply one of the PRs by hand to HEAD and build a binary.

P.S. If you are using docker containers you can temporarily use alikhil/oauth2_proxy:2.2.2 image which I build for myself from own fork.

alikhil avatar May 16 '18 16:05 alikhil

You my friend @alikhil are a legend, thanks

Stono avatar Jun 12 '18 14:06 Stono