Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

filters/auth: allow insecure grant flow #2457

Merged
merged 1 commit into from
Jul 17, 2023
Merged

filters/auth: allow insecure grant flow #2457

merged 1 commit into from
Jul 17, 2023

Conversation

AlexanderYastrebov
Copy link
Member

@AlexanderYastrebov AlexanderYastrebov commented Jul 13, 2023
edited
Loading

Add a flag to allow insecure grant flow:

  • issue token cookie without secure attribute
  • use http scheme for callback url

@MustafaSaber
Copy link
Member

👍

@RomanZavodskikh
Copy link
Member

RomanZavodskikh commented Jul 13, 2023
edited
Loading

In theory, Eve stealing the data in the HTTP connection between Alice (client) and Bob (server) could steal ztoken of Alice and authenticate herself as Alice, couldn't she?

@AlexanderYastrebov
Copy link
Member Author

That is correct. The feature is meant for local testing.
Alternative is to run HTTPS Skipper with self-signed certificate and ignore browser warning.

@AlexanderYastrebov
Copy link
Member Author

Related #1775

@AlexanderYastrebov
Copy link
Member Author

Build failed with

--- FAIL: TestRedisContainer (0.87s)
    redistest.go:39: Failed to start redis server: http: invalid Host header, host port waiting failed: could not start container: creating reaper failed: failed to create container

looks related to testcontainers/testcontainers-go#1359

@AlexanderYastrebov AlexanderYastrebov mentioned this pull request Jul 13, 2023
Closed
@RomanZavodskikh RomanZavodskikh mentioned this pull request Jul 14, 2023
Merged
@AlexanderYastrebov
filters/auth: allow insecure grant flow
d40e950 
Add a flag to allow insecure grant flow:
* issue token cookie without secure attribute
* use http schem for callback url

Signed-off-by: Alexander Yastrebov <[email protected]>
@RomanZavodskikh
Copy link
Member

👍

1 similar comment
@MustafaSaber
Copy link
Member

👍

@AlexanderYastrebov AlexanderYastrebov merged commit 62302e4 into master Jul 17, 2023
8 checks passed
@AlexanderYastrebov AlexanderYastrebov deleted the filters/grant-insecure branch July 17, 2023 14:32
@AlexanderYastrebov AlexanderYastrebov mentioned this pull request Feb 1, 2024
Closed
AlexanderYastrebov added a commit that referenced this pull request Feb 1, 2024
@AlexanderYastrebov
docs: describe additional oauthGrant flags
8ee568a 
Followup on #2203
Followup on #2244
Followup on #2457

Updates #2898

Signed-off-by: Alexander Yastrebov <[email protected]>
@AlexanderYastrebov AlexanderYastrebov mentioned this pull request Feb 1, 2024
Merged
AlexanderYastrebov added a commit that referenced this pull request Feb 5, 2024
@AlexanderYastrebov
docs: describe additional oauthGrant flags (#2899)
94484ba 
Followup on #2203
Followup on #2244
Followup on #2457

Updates #2898

Signed-off-by: Alexander Yastrebov <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
oauth-grant
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@AlexanderYastrebov @MustafaSaber @RomanZavodskikh