search

nebari-dev / nebari

🪴 Nebari - your open source data science platform
https://nebari.dev
BSD 3-Clause "New" or "Revised" License
281 stars 93 forks source link

[enhancement] ForwardAuth OAuth provider that support insecure tls certificates #1024

Open costrouc opened 2 years ago

costrouc commented 2 years ago

Description

This issue was discovered in https://github.com/Quansight/qhub/pull/1017. It is related to an issue with traefik forward auth https://github.com/thomseddon/traefik-forward-auth/issues/122. This limits our forward auth to only working with trusted domains. We need to discuss and decide if we stick with traefik forward auth or move towards a more adopted forward auth e.g. https://github.com/oauth2-proxy/oauth2-proxy.

Value/benefit

Transparent authentication is more transparent.

viniciusdc commented 2 years ago

In the meantime, we should put a notice in the docs saying that using lets-encrypt for generating the certs would be the recommended way for a fresh install... @costrouc what do you think?

dhirschfeld commented 2 years ago

I'm also using thomseddon/traefik-forward-auth and, unfortunately, it seems ~unmaintained.

To work around that issue I add our CA to a custom built image. I also have to build from https://github.com/thomseddon/traefik-forward-auth/pull/49#issuecomment-784741410 as otherwise you can't use it for anything with a path prefix :/

I don't think it's fit for production as-is; particularly being a security sensitive component - you want something well maintained.

So, I'm considering alternative options to provide Azure AD auth for our traefik ingress. I'll check out oauth2-proxy and I'll be interested in your experiences! 👀

dhirschfeld commented 2 years ago

using lets-encrypt for generating the certs would be the recommended way

Our infra is in a pretty locked down private network so using Lets Encrypt was a non-starter for us.

costrouc commented 2 years ago

@dhirschfeld thanks for joining in the conversation. Yes I agree and do see some issues using this project long term. We will be talking this issue in around 3 months or so. We will make sure to update this issue on what we find.

dhirschfeld commented 2 years ago

We will make sure to update this issue on what we find.

Thanks! I'm doing some similar stuff to qhub so am very interested in how you're going about things. I'm keeping an eye on development here with a view to hopefully giving it a go at some stage (when I can find the time!)

iameskild commented 1 year ago

I wonder if moving to OAuth2Proxy would resolve this? @viniciusdc perhaps you know?