Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The page isn’t redirecting properly #232

Closed
clyang82 opened this issue Nov 5, 2021 · 11 comments
Closed

The page isn’t redirecting properly #232

clyang82 opened this issue Nov 5, 2021 · 11 comments
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@clyang82
Copy link

clyang82 commented Nov 5, 2021
edited
Loading

I am using oauth-proxy in front of my service. I want to leverage the oauth-proxy capability to do authentication. Here is my configuration for oauth-proxy

    - --provider=openshift
    - --upstream=https://xxx.svc:8443
    - --upstream-ca=/etc/tls/ca/service-ca.crt
    - --https-address=:9443
    - --client-id=multicloudingress
    - --client-secret=xxxxxx
    - --pass-user-bearer-token=true
    - --pass-access-token=true
    - --scope=user:full
    - '-openshift-delegate-urls={"/": {"resource": "projects", "verb": "list"}}'
    - --skip-provider-button=true
    - --cookie-secure=true
    - --cookie-expire=12h0m0s
    - --cookie-refresh=8h0m0s
    - --tls-cert=/etc/tls/private/tls.crt
    - --tls-key=/etc/tls/private/tls.key
    - --cookie-secret=xxxx
    - --openshift-ca=/etc/pki/tls/cert.pem
    - --openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

I enabled auto-refresh for my page. I found that if the cookie is expired. sometimes, I can meet this below problem.
first:
image
click to login
image
then Log in with OpenShift
image

I cannot go to my page. I have to close my browser and relogin.
I am not sure if my usage is wrong or something wrong around oauth-proxy.
Appreciate for any suggestions.
I can append more details if needed. Thanks.
@clyang82
Copy link
Author

clyang82 commented Nov 5, 2021

@stlaz could you provide your comments or suggestions here? Thanks.

@clyang82
Copy link
Author

clyang82 commented Nov 9, 2021

append why the page is not redirecting properly. it is due to dead loop
image

@clyang82 clyang82 mentioned this issue Nov 9, 2021
Closed
@s-urbaniak
Copy link

s-urbaniak commented Nov 25, 2021
edited
Loading

Your nonce value stored in the _oauth2_proxy_csrf cookie does not match the nonce value returned from the oauth callback passed via the state request parameter. Make the value is correctly returned within the callback.

@clyang82
Copy link
Author

@s-urbaniak Thanks for your reply. Could you elaborate more how to make the values is returned within the callback correctly? As I understand, the _oauth2_proxy_csrf cookies is set via SetCSRFCookie method. And the callback is also set by SetCSRFCookie method.
https://github.com/openshift/oauth-proxy/blob/9ea1ebc89f721d3cd929f58c7ab9ed4273d3c493/oauthproxy.go#L610:L630
Where is my configuration wrong?

@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 27, 2022
@openshift-bot
Copy link

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

@openshift-ci openshift-ci bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 29, 2022
@openshift-bot
Copy link

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

@openshift-ci openshift-ci bot closed this as completed Apr 28, 2022
@openshift-ci
Copy link

openshift-ci bot commented Apr 28, 2022

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@olexii4 olexii4 mentioned this issue May 6, 2022
Merged
11 tasks
@ibihim
Copy link

ibihim commented Jul 4, 2022
edited
Loading

When the flag --skip-provider-button is set to true, you can't pass the target URI as a parameter.
You will be always redirected to the upstream host of the proxy with an authenticated session on the root path /.

If you want to redirect to a relative path, you need to set --skip-provider-button to false.
Or you need to make the upstream host able to handle a redirect to the root path /.

I understand your concern about this flow, but this is not a bug (this behavior is enforced on more than one place). You would need to raise a feature request.

@ibihim
Copy link

ibihim commented Jul 4, 2022

There is a CSRF token set. It prevents CSRF attacks. It is quite common to limit the life span of such tokens to a short period of time. This is not a bug.

@clyang82
Copy link
Author

@ibihim Thanks for your response. We have switched to set --skip-provider-button to false.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bug 2026573: use rd for redirect clyang82/oauth-proxy
4 participants
@s-urbaniak @openshift-bot @clyang82 @ibihim