nebari icon indicating copy to clipboard operation
nebari copied to clipboard

Published 20 hours ago verified publisher icon nebari-dev

[enhancement] ForwardAuth OAuth provider that support insecure tls certificates

Open costrouc opened this issue 3 years ago • 6 comments

Description

This issue was discovered in https://github.com/Quansight/qhub/pull/1017. It is related to an issue with traefik forward auth https://github.com/thomseddon/traefik-forward-auth/issues/122. This limits our forward auth to only working with trusted domains. We need to discuss and decide if we stick with traefik forward auth or move towards a more adopted forward auth e.g. https://github.com/oauth2-proxy/oauth2-proxy.

Value/benefit

Transparent authentication is more transparent.

costrouc avatar Feb 03 '22 21:02 costrouc

In the meantime, we should put a notice in the docs saying that using lets-encrypt for generating the certs would be the recommended way for a fresh install... @costrouc what do you think?

viniciusdc avatar Feb 08 '22 13:02 viniciusdc

I'm also using thomseddon/traefik-forward-auth and, unfortunately, it seems ~unmaintained.

To work around that issue I add our CA to a custom built image. I also have to build from https://github.com/thomseddon/traefik-forward-auth/pull/49#issuecomment-784741410 as otherwise you can't use it for anything with a path prefix :/

I don't think it's fit for production as-is; particularly being a security sensitive component - you want something well maintained.

So, I'm considering alternative options to provide Azure AD auth for our traefik ingress. I'll check out oauth2-proxy and I'll be interested in your experiences! 👀

dhirschfeld avatar Feb 08 '22 23:02 dhirschfeld

using lets-encrypt for generating the certs would be the recommended way

Our infra is in a pretty locked down private network so using Lets Encrypt was a non-starter for us.

dhirschfeld avatar Feb 08 '22 23:02 dhirschfeld

@dhirschfeld thanks for joining in the conversation. Yes I agree and do see some issues using this project long term. We will be talking this issue in around 3 months or so. We will make sure to update this issue on what we find.

costrouc avatar Feb 12 '22 13:02 costrouc

We will make sure to update this issue on what we find.

Thanks! I'm doing some similar stuff to qhub so am very interested in how you're going about things. I'm keeping an eye on development here with a view to hopefully giving it a go at some stage (when I can find the time!)

dhirschfeld avatar Feb 12 '22 13:02 dhirschfeld

I wonder if moving to OAuth2Proxy would resolve this? @viniciusdc perhaps you know?

iameskild avatar May 29 '23 16:05 iameskild