[external-auth]: auth-send-body misleading

[mrahbar]

I have invested quite some time to write an auth-server which parses request params as well as the request body to perform authentication. After testing I found that the auth_request module does not pass the request_body to the auth sub-request but drops it intentionally. I was convinced from the annotation and some previous issues e.g. #811 that auth-send-body actually does the trick.

What is the purpose of the annotation ingress.kubernetes.io/auth-send-body: "true" then?

Is there anyway with the current build of nginx-ingress-controller (0.9.0-beta.13) to pass the request_body to the auth-server during the auth sub-request?

Thinks I have tried without success

1. Set proxy_pass_request_body to on, which is default anyway
2. Change auth-method to POST
3. Set request_body as header: `proxy_set_header X-Real-Body $request_body;
4. tcpdump the connection (3 node k8s-cluster, client on node1, nginx-ingress-controller & auth-server on node3)

mazad@kubernetesnode1:~$ sudo tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s0f0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:13:33.334723 IP kubernetesnode1.42334 > kubernetesnode3.http: Flags [P.], seq 2149266313:2149266530, ack 3664962663, win 229, options [nop,nop,TS val 64413018 ecr 64406182], length 217: HTTP: POST /api/outgoing HTTP/1.1
E.....@.@.5.
...
....^.P..3..r.g...........
...Z....POST /api/outgoing HTTP/1.1
Host: <removed>
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 18
Content-Type: application/x-www-form-urlencoded
{"storeId":"1235"}

22:14:33.335579 IP kubernetesnode3.http > kubernetesnode1.42334: Flags [P.], seq 1:356, ack 217, win 235, options [nop,nop,TS val 64421183 ecr 64413018], length 355: HTTP: HTTP/1.1 500 Internal Server Error
E...&.@.@...
...
....P.^.r.g..4b...........
...?...ZHTTP/1.1 500 Internal Server Error
Server: nginx/1.13.5
Date: Fri, 15 Sep 2017 20:15:40 GMT
Content-Type: text/html
Content-Length: 193
Connection: close
<html>
<head><title>500 Internal Server Error</title></head>
<body bgcolor="white">
<center><h1>500 Internal Server Error</h1></center>
<hr><center>nginx/1.13.5</center>
</body>
</html>

`

Sources:

[1] https://www.nginx.com/resources/admin-guide/restricting-access-auth-request/

As the request body is discarded for authentication subrequests, you will need to set the
proxy_pass_request_body directive to off and also set the Content-Length header to a null string

[2] https://www.nginx.com/resources/wiki/extending/examples/auth_request/

/*
+ allocate fake request body to avoid attempts to read it and to make
+ sure real body file (if already read) won't be closed by upstream
*/

[aledbf]

@mrahbar thank you for the report. Unfortunately is not possible to send the body using the auth_request feature.

[evgeny-s]

@mrahbar thank you for the report. Unfortunately is not possible to send the body using the auth_request feature.

any other options?
I need to verify body for custom authentication. I don't use classic JWT or Cookes.
Could you please assist with that? Thanks.

[VinayagamBabu]

@mrahbar thank you for the report. Unfortunately is not possible to send the body using the auth_request feature.

any other options?
I need to verify body for custom authentication. I don't use classic JWT or Cookes.
Could you please assist with that? Thanks.

Hi @evgeny-s / @mrahbar , I am trying to print the request body after external authentication. I always get the request_body variable as empty. Please let me know if we have any option to print the $request_body in logs.