-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add X-Skipper-Redirect-Base-Uri override headers for oauthgrant filter redirect_uri #3228
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Carl Zhou <[email protected]>
Signed-off-by: Carl Zhou <[email protected]>
Signed-off-by: Carl Zhou <[email protected]>
Signed-off-by: Carl Zhou <[email protected]>
Signed-off-by: Carl Zhou <[email protected]>
Signed-off-by: Carl Zhou <[email protected]>
Signed-off-by: Carl Zhou <[email protected]>
The problem with override by header is that it can easily lead to a security issue (example). |
Please describe the problem it intends to solve (maybe raise a ticket). |
It is true the client can now pass an arbitrary value, but ultimately the IDP will decide which redirect_uri values can be or cannot be allowed. |
Will prob follow up on @czhou-brex behalf for now as we're trying to use for oidc/auth-grant authN for our services. The problems they're running into is having another proxy in front of Skipper. In our case it's a CloudFront that caches some resources, so the routing kind of looks like the following:
So it's basically how to redirect to the top-most proxy in the chain when Skipper host isn't what directly visible to users due to smth like CDN. PS Another potential use case we're trying to figure out is localhost experience for things like webpack dev server, technically it is an acting proxy in front of Skipper too, and it can even do smth like |
Is it possible to configure first proxy to pass "cloudfront.brex.com" as a Host header?
I am not sure I understand who is supposed to send this header? Likely its not browser but first proxy, or? |
Yes it's doable, but then Skipper has to have routing rules for each external host. For things like localhost (or any local custom hosts e.g.
Yes, I would expect a first proxy to pass it somewhat. What's interesting, @mmichels-brex was testing it with both |
I think the "standard" way is to use X-Forwarded-Host header. In case of If we move towards passing host from upstream proxy then I think we should think about using
oid seems to also consider "host" header (see #1016) but I think this is not correct because go HTTP server removes Host header and puts its value to the request.Host: // For incoming requests, the Host header is promoted to the
// Request.Host field and removed from the Header map. So maybe if oidc route has See also recent Host header related discussion #2038 |
Why? Maybe you could provide your example routes for better understanding? |
Add an override request header for the base URL of the redirect_uri param. Fallback to the req.Host by default.
Testing:
Issue:
#3229