Incorrect redirect after Login when terminating TLS with reverse proxy

ryancurrah commented 6 months ago

Pre-requisites

[X] I have double-checked my configuration
[X] I have tested with the :latest image tag (i.e. quay.io/argoproj/workflow-controller:latest) and can confirm the issue still exists on :latest. If not, I have explained why, in detail, in my description below.
[X] I have searched existing issues and could not find a match for this bug
[X] I'd like to contribute the fix myself (see contributing guide)

What happened/what did you expect to happen?

Description:

When clicking an Argo Workflows link, if I'm not logged in, I'm redirected to the login page. After logging in, I'm redirected to the workflows page instead of the original page I was trying to access.

Steps to reproduce:

Click an Argo Workflows link to a specific page
If not logged in, click the "Login" button
After logging in, observe that you are redirected to the workflows page (not the page you intended to visit)

Debugging information:

The issue is located in sso.go#L351-L353
The condition strings.HasPrefix(cookie.Value, prefix) always evaluates to false due to a mismatch between the HTTP and HTTPS schemes.
The secure variable is set to false because opts.TLSConfig is nil, indicating that Argo Server is not terminating TLS. Instead, a reverse proxy is used to terminate TLS. So https://github.com/argoproj/argo-workflows/blob/v3.5.5/server/auth/sso/sso.go#L345-L348 ends up being http when infact we are using https.

Expected behavior:

After logging in, the user should be redirected to the original project they were trying to access, not the last viewed project.

Version: Argo Workflows v3.5.5

Version

v3.5.5

Paste a small workflow that reproduces the issue. We must be able to run the workflow; don't enter a workflows that uses private images.

n/a

Logs from the workflow controller

kubectl logs -n argo deploy/workflow-controller | grep ${workflow}

Logs from in your workflow's wait container

kubectl logs -n argo -c wait -l workflows.argoproj.io/workflow=${workflow},workflow.argoproj.io/phase!=Succeeded

agilgur5 commented 6 months ago

Follow-up to this Slack thread

The secure variable is set to false because opts.TLSConfig is nil, indicating that Argo Server is not terminating TLS. Instead, a reverse proxy is used to terminate TLS. So https://github.com/argoproj/argo-workflows/blob/v3.5.5/server/auth/sso/sso.go#L345-L348 ends up being http when infact we are using https.

We could potentially use the request's protocol to determine this.

But secure: false has other implications, like the Cookie setting and potentially others that we should be careful around and ensure properly handle ingress TLS termination.

EDIT: Here's another redirect line that depends on it that should be changed too.

ejsuncy commented 5 months ago

Thanks for opening this ticket from my slack help request! subscribing for updates...

agilgur5 commented 5 months ago

Workaround is to use a self-signed cert on the Server with secure: true, per the Slack thread

bmooso commented 4 months ago

+1

argoproj / argo-workflows