search

bitly / oauth2_proxy

A reverse proxy that provides authentication with Google, Github or other provider
MIT License
5.1k stars 1.21k forks source link

oauth2_proxy along with google authentication #598

Open r-divakaran-hrs opened 6 years ago

r-divakaran-hrs commented 6 years ago

Hello,

I am using oauth2_proxy for authenticating few ingresses using google. Example URL: monitor.qa-lab.com In google console: Origin URL is set to : https://monitor.qa-lab.com Call back URL as : https://monitor.qa-lab.com/oauth2/callback

Name:                   oauth2-proxy
Namespace:              kube-ingress
CreationTimestamp:      Wed, 23 May 2018 11:04:39 +0200
Labels:                 app=oauth2-proxy
                        chart=oauth2-proxy-0.4.1
                        heritage=Tiller
                        release=oauth2-proxy
Annotations:            deployment.kubernetes.io/revision=3
Selector:               app=oauth2-proxy,release=oauth2-proxy
Replicas:               2 desired | 2 updated | 2 total | 2 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:  app=oauth2-proxy
           release=oauth2-proxy
  Containers:
   oauth2-proxy:
    Image:      a5huynh/oauth2_proxy:2.2
    Port:       4180/TCP
    Host Port:  0/TCP
    Args:
      --cookie-domain=.qa-lab.com
      --email-domain=innovate.test.com
      --http-address=0.0.0.0:4180
      --upstream=file:///dev/null
    Liveness:   http-get http://:http/ping delay=0s timeout=1s period=10s #success=1 #failure=3
    Readiness:  http-get http://:http/ping delay=0s timeout=1s period=10s #success=1 #failure=3
    Environment:
      OAUTH2_PROXY_CLIENT_ID:      <set to the key 'client-id' in secret 'oauth2-proxy'>      Optional: false
      OAUTH2_PROXY_CLIENT_SECRET:  <set to the key 'client-secret' in secret 'oauth2-proxy'>  Optional: false
      OAUTH2_PROXY_COOKIE_SECRET:  <set to the key 'cookie-secret' in secret 'oauth2-proxy'>  Optional: false
    Mounts:                        <none>
  Volumes:                         <none>

Above is the deployment for oauth proxy. I have changed the domain name to test, which is not real.

The issue is that each time I access https://monitor.qa-lab.com, it keeps on asking for authentication process by looping to https://monitor.qa-lab.com/oauth2/sign_in?jd=/# At this time if I remove ?jd=/# and access, it works as expected.

Has anyone faced the same and already knows a work around or the fix ?

Thanks

ermik commented 6 years ago

This kind of behavior is known to me as a result of specifying /sign_in as a must-hit endpoint. If your request hits sign_in after the OAuth flow has completed, the endpoint will reset the cookie and present the authentication page.