Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

filters/auth: allow insecure grant flow #2457

Merged
merged 1 commit into from
Jul 17, 2023

Conversation

AlexanderYastrebov
Copy link
Member

@AlexanderYastrebov AlexanderYastrebov commented Jul 13, 2023

Add a flag to allow insecure grant flow:

  • issue token cookie without secure attribute
  • use http scheme for callback url

@MustafaSaber
Copy link
Member

👍

@RomanZavodskikh
Copy link
Member

RomanZavodskikh commented Jul 13, 2023

In theory, Eve stealing the data in the HTTP connection between Alice (client) and Bob (server) could steal ztoken of Alice and authenticate herself as Alice, couldn't she?

@AlexanderYastrebov
Copy link
Member Author

That is correct. The feature is meant for local testing.
Alternative is to run HTTPS Skipper with self-signed certificate and ignore browser warning.

@AlexanderYastrebov
Copy link
Member Author

Related #1775

@AlexanderYastrebov
Copy link
Member Author

Build failed with

--- FAIL: TestRedisContainer (0.87s)
    redistest.go:39: Failed to start redis server: http: invalid Host header, host port waiting failed: could not start container: creating reaper failed: failed to create container

looks related to testcontainers/testcontainers-go#1359

Add a flag to allow insecure grant flow:
* issue token cookie without secure attribute
* use http schem for callback url

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
@RomanZavodskikh
Copy link
Member

👍

1 similar comment
@MustafaSaber
Copy link
Member

👍

@AlexanderYastrebov AlexanderYastrebov merged commit 62302e4 into master Jul 17, 2023
@AlexanderYastrebov AlexanderYastrebov deleted the filters/grant-insecure branch July 17, 2023 14:32
AlexanderYastrebov added a commit that referenced this pull request Feb 1, 2024
Followup on #2203
Followup on #2244
Followup on #2457

Updates #2898

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
AlexanderYastrebov added a commit that referenced this pull request Feb 5, 2024
Followup on #2203
Followup on #2244
Followup on #2457

Updates #2898

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants