oathkeeper icon indicating copy to clipboard operation
oathkeeper copied to clipboard

Published 20 hours ago verified publisher icon ory

fix: decision API copies X-Forwarded-Method to incoming requests which breaks traefik forward auth for HEAD requests

Open jrester opened this issue 2 years ago • 4 comments

Currently oathkeeper cannot handle HEAD requests from traefik Forward Auth middleware, because oathkeeper copies the forwarded method into the incoming request. With this fix HEAD requests now also work.

Related issue(s)

Currently when using the oathkeeper decision API together with traefik forward auth, HEAD requests cannot be handled currectly and will result in a timeout on the traefik side. This is because oathkeeper replaces the method of the incoming request with the method in the X-Forwarded-Method header and because HEAD requests must not contain a body it will not be written by go (https://github.com/golang/go/blob/9123221ccf3c80c741ead5b6f2e960573b1676b9/src/net/http/server.go#L377). But as traefik sends a GET requests for forward auth it expects a body back (https://github.com/traefik/traefik/blob/e54ee89330a800d509da7b11b46a6ecbb331e791/pkg/middlewares/auth/forward.go#L129), therefore traefik times out, as no body is sent by oathkeeper.

Reproduce

Although not the simplest setup, this is how I noticed this bug:

  1. setup oathkeeper with any rule you want (e.g. allow everything)
  2. setup the docker registry (https://github.com/distribution/distribution)
  3. setup traefik to point to the docker registry with a forward auth middleware to oathkeeper
  4. do a docker push with a image of your choice to the docker registry
  5. the push should retry multiple times and than fail with a 500 internal Server error
  6. the traefik logs should indicate timeout issues

Checklist

  • [x] I have read the contributing guidelines.
  • [ ] I have referenced an issue containing the design document if my change introduces a new feature.
  • [x] I am following the contributing code guidelines.
  • [x] I have read the security policy.
  • [x] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got the approval (please contact [email protected]) from the maintainers to push the changes.
  • [x] I have added tests that prove my fix is effective or that my feature works.
  • [ ] I have added or changed the documentation.

Further Comments

For a more in depth writeup of the problem: https://github.com/thomseddon/traefik-forward-auth/issues/156

jrester avatar Dec 29 '22 11:12 jrester

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Dec 29 '22 11:12 CLAassistant

Codecov Report

Merging #1046 (39854cf) into master (b5d4d88) will decrease coverage by 0.57%. Report is 1 commits behind head on master. The diff coverage is 100.00%.

:exclamation: Current head 39854cf differs from pull request most recent head 004b778. Consider uploading reports for the commit 004b778 to get more accurate results

@@            Coverage Diff             @@
##           master    #1046      +/-   ##
==========================================
- Coverage   78.16%   77.60%   -0.57%     
==========================================
  Files          80       79       -1     
  Lines        3898     4014     +116     
==========================================
+ Hits         3047     3115      +68     
- Misses        576      618      +42     
- Partials      275      281       +6
Files Coverage Δ
api/decision.go 95.55% <100.00%> (ø)

... and 2 files with indirect coverage changes

codecov[bot] avatar Dec 29 '22 11:12 codecov[bot]

@aeneasr are there any more changes required or can this be merged?

jrester avatar Nov 29 '23 10:11 jrester

This is still an issue it seems. Any updates?!

8th-block avatar Apr 20 '24 16:04 8th-block