search

openshift / oauth-proxy

A reverse proxy that provides authentication with OpenShift via OAuth and Kubernetes service accounts
MIT License
261 stars 136 forks source link

Cookie signature includes the hostname when the --cokie-domain flag is set #239

Closed samuelvl closed 2 years ago

samuelvl commented 2 years ago

Description I am working on this scenario to have a full SSO experience:

                  ┌─────────────┐    ┌─────────────┐
app1.mydomain.com │             │    │             │
  ───────────────►│ oauth-proxy ├───►│    app1     │
                  │             │    │             │
                  └─────────────┘    └─────────────┘

                  ┌─────────────┐    ┌─────────────┐
app2.mydomain.com │             │    │             │
  ───────────────►│ oauth-proxy ├───►│    app2     │
                  │             │    │             │
                  └─────────────┘    └─────────────┘

If I login in the app1 I don't want to relogin again in app2. So I am using the --cookie-domain flag to enable the cookie in all the applications of my domain:

--cookie-name=my-oauth-cookie
--cookie-domain=.mydomain.com

However when I am already logged in app1 and try to reach app2 I am getting the following error:

2022/01/05 22:43:11 oauthproxy.go:729: 10.129.2.1:34588 Cookie Signature not valid

I have been digging into the code and I realized the cookie signature is including the route hostname even if the --cokie-domain flag is set:

https://github.com/openshift/oauth-proxy/blob/d347e1a29cdc5214ef9d15d61c328fbc24340192/oauthproxy.go#L411

openshift-bot commented 2 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 2 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot commented 2 years ago

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci[bot] commented 2 years ago

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/oauth-proxy/issues/239#issuecomment-1147758468): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.