vouch-proxy icon indicating copy to clipboard operation
vouch-proxy copied to clipboard
verified publisher icon vouch

Redirect login page if user not found in whiteList

Open muralisathenapalli opened this issue 5 years ago • 5 comments

Hi,

Trying to whitelist the users to access the application. the option is working great for users that are there in whiteList. If a user is not listed under whiteList, vouch proxy is displaying that " the user is not under whitelist and try again later". it's not redirecting back to the login page.

image

muralisathenapalli avatar Mar 24 '20 14:03 muralisathenapalli

You could capture the 401 Unauthorized response from https://vouch.youdomain.com/auth in Nginx and then 302 redirect the browser.

However you should be aware that this has the potential to setup an infinite redirect loop with some IdP's.

# vouch.yourdomain.com
server {
    listen 443 ssl http2;
    server_name vouch.yourdomain.com;
    ssl_certificate /etc/letsencrypt/live/vouch.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vouch.yourdomain.com/privkey.pem;

    location / {
      proxy_pass http://127.0.0.1:9090;
      # be sure to pass the original host header
      proxy_set_header Host $http_host;
    }

    location /auth {
      proxy_pass http://127.0.0.1:9090;
      error_page  401 @autherror;     
    }

    @autherror {
          return 302 https://vouch.yourdomain.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
          # or it may be better to 302 redirect to https://protectedapp.yourdomain.com
    }
}

I'm uncertain if this should be the responsibility of VP. Where possible I'd prefer to leave the routing decisions in Nginx.

There's a case for incrementing the failcount via auth_request_set $auth_resp_failcount $upstream_http_x_vouch_failcount; which IIRC is not included during a failed /auth. Would you be able to submit a PR to include that change? Should be a quick cut and paste and test from /validate

bnfinet avatar Mar 24 '20 17:03 bnfinet

as per #160 VP probably should return 403 Forbidden when the user is authenticated at the IdP but not authorized (not on whitelist or not in the domain, etc..).

bnfinet avatar Mar 24 '20 18:03 bnfinet

@bnfinet Thanks for the quick response.

I did add the /auth block as you suggested and tried to redirect the user to the login page. but it's not working. so I decided to enable logging in VP, which shows whenever the user does not exist in the whitelist, VP is handling the request with status code 200 rather than 401. Hence Nginx is not triggering @autherror block. please have a look at below VP log

image

muralisathenapalli avatar Mar 26 '20 04:03 muralisathenapalli

Hi !

I think the best way here is to add something in vouch auth URL, for example /authenticate/auth?blablabla&http=403 and the triggering this parameter with NGINX, like that :

if ($request_uri ~* 'http=403') {
   return 302 ....
}

zoriax avatar Sep 08 '22 14:09 zoriax