search

bitly / oauth2_proxy

A reverse proxy that provides authentication with Google, Github or other provider
MIT License
5.1k stars 1.21k forks source link

Is it possible to use wildcard subdomains in combination with GitHub as OAuth provider? #550

Open simonvanderveldt opened 6 years ago

simonvanderveldt commented 6 years ago

I was wondering if oauth2_proxy in combination with GitHub as Oauth provider allows the possibility of using wildcard subdomains for a single GitHub Oauth app?

AFAIK that's most of the time done through the state arg, but I don't think there's a way to add custom values to state at the moment.

Also, the wildcard/whitelisted subdomains functionality from #464 doesn't seem to work for this use case, probably because github always redirects to the Authorization callback URL, which is not subdomain specific.

Is this simply not possible or am I missing something?

JoelSpeed commented 6 years ago

The work in #464 is for using one oauth2_proxy to protect multiple internal websites.

You are correct indeed that GithHub will only let you set one redirect URL and that should be the URL of your oauth2_proxy. To then protect multiple internal sites you need to start the authentication flow by directing users to https://oauth2.yourdomain.com/oauth/start?rd=https://subdomain.yourdomain.com (when you have the whitelist-domain set as .yourdomain.com)

We do this within our Kubernetes Ingress so I can't really advise how else you might do this if that isn't your use case. Although, ig you put Nginx in front of any website you want to protect and use the auth request method you should be able to protect multiple internal sites with a single oauth2_proxy.

simonvanderveldt commented 6 years ago

@JoelSpeed Thx! I'll give the code in your PR a try.

simonvanderveldt commented 6 years ago

You are correct indeed that GithHub will only let you set one redirect URL and that should be the URL of your oauth2_proxy. To then protect multiple internal sites you need to start the authentication flow by directing users to https://oauth2.yourdomain.com/oauth/start?rd=https://subdomain.yourdomain.com (when you have the whitelist-domain set as .yourdomain.com)

We do this within our Kubernetes Ingress so I can't really advise how else you might do this if that isn't your use case. Although, ig you put Nginx in front of any website you want to protect and use the auth request method you should be able to protect multiple internal sites with a single oauth2_proxy.

@JoelSpeed Trying to understand the flow you currently have: Does the Kubernetes ingress you use redirect (301?) to https://oauth2.yourdomain.com/oauth/start?rd=https://subdomain.yourdomain.com and the flow starts from there? If so, how can the user access the app running on the subdomain since nothing is proxying it?

Or does the Kubernetes ingress do the equivalent of nginx's auth_request and send of a call to oauth2_proxy? If so to which url/hostname? The publicly accessible https://oauth2.yourdomain.com/oauth/auth isn't going to work, right? And where would you then pass the redirect to https://subdomain.yourdomain.com in that case?

JoelSpeed commented 6 years ago

@simonvanderveldt Our ingress object proxies to the app as it normally would with any service.

To protect it with the oauth_proxy we simple add the following annotations to the ingress object and as you say, it uses nginx's auth_request directive.

We have the oauth2_proxy publicly accessible at https://auth.yourdomain.com/oauth2/ but it doesn't ever actually do any proxying, we just use the auth and start endpoints to check if the user is presently authenticated and then redirect them if not.

Note that we are using the Nginx ingress controller for this, I don't think other controllers support these annotations out of the box

  annotations:
    ingress.kubernetes.io/auth-url: "https://auth.yourdomain.com/oauth2/auth"
    ingress.kubernetes.io/auth-signin: "https://auth.yourdomain.com/oauth2/start?rd=https://$host$request_uri"
simonvanderveldt commented 6 years ago

@JoelSpeed Awesome, thanks a lot! I'll have a look at the nginx ingress controller. It seems auth_request doesn't support URL's by default, will have a look into how that's solved with the ingress controller.

MaksymBilenko commented 6 years ago

@JoelSpeed I've tried your way but having issue with cyclic redirects (Github oauth2). Did you had similar issue?

github: Homepage URL: auth.mydomain.com/oauth Authorization callback URL: auth.mydomain.com/oauth/callback

When trying to auth dashboard.mydomain.com with your ingress annotations getting cyclic redirects after Github auth

MaksymBilenko commented 6 years ago

Managed to make it work The issue was that I have auth url via internal k8s service nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.kube-system.svc.cluster.local:4180/oauth2/auth Fixed this issue by adding --cookie-domain=mydomain.com to oauth2-proxy args