Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth host mode and Traefik 2 without global intercept #129

Closed
coderanger opened this issue May 26, 2020 · 4 comments
Closed

Auth host mode and Traefik 2 without global intercept #129

coderanger opened this issue May 26, 2020 · 4 comments
Labels
enhancement New feature or request

Comments

@coderanger
Copy link

I'm trying to test out the specific mix of:

  1. Auth host mode
  2. With Traefik 2.0
  3. With the forwardauth middleware configured on a per-ingress level

The symptom is a redirect loop, when the IdP returns to /_oauth, that is seen as an unauthenticated request and so the response is to bounce back to the IdP. From looking through the code, it seems like AuthCallbackHandler is installed on the forward-auth router, rather than the top-level one. So the incoming URI is erased and replaced by X-Forwarded-Uri which doesn't exist since this request is coming through natively rather than via forwardauth itself. It seems like the best fix would be to move the callback handler to the top-level handler, but if not that then a simple fix would be to make RootHandler only do the X-Forwarded-Uri behavior if the header actually exists?

Does that sound reasonable?
@coderanger
Copy link
Author

I tested things out with this:

	if r.Header.Get("X-Forwarded-Method") != "" {
		r.Method = r.Header.Get("X-Forwarded-Method")
	}
	if r.Header.Get("X-Forwarded-Host") != "" {
		r.Host = r.Header.Get("X-Forwarded-Host")
	}
	if r.Header.Get("X-Forwarded-Uri") != "" {
		r.URL, _ = url.Parse(r.Header.Get("X-Forwarded-Uri"))
	}

and it seems much happier (though this can be rewritten to be faster, just wanted to check functionality).

@coderanger
Copy link
Author

I think this is the same issue as #81 and functionally the same solution.

@thomseddon
Copy link
Owner

So the solution to this is to ensure you're applying authentication to your tfa ingress, for example:

traefik-forward-auth/examples/traefik-v2/kubernetes/advanced-separate-pod/traefik-forward-auth/ingress.yaml

Lines 10 to 20 in c63fd73

spec:
entryPoints:
- https
routes:
- match: Host(`auth.example.com`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
middlewares:
- name: traefik-forward-auth

(As a side note, this is documented in the README, but was missing from some of the examples, which was just fixed in #130 - thanks for pointing me to this!)

As an aside, I understand this is a slightly confusing setup when using selective authentication and it seems to have tripped quite a few people up. As such, I think it would actually make sense to gracefully support requests directly against the service, so I will leave this open to track that tweak.

@thomseddon thomseddon added the enhancement New feature or request label May 26, 2020
This was referenced Jun 30, 2020
Closed
Closed
Closed
Closed
@thomseddon
Copy link
Owner

PR open in #217

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@coderanger @thomseddon