Open dannyyy opened 2 years ago
You should update your image to the :latest
tag, some bugs concerning whitelists in rules have been wiped out there. In theory the first configuration should get you the desired result, given that the email has been parsed from the token correctly.
Unfortunately this does not help. Using the first configuration with the latest
image tag results in:
Public request works as expected.
Protected request redirects to Google and after login it only redirects to:
https://whoami.mydomain.com/_oauth?state=1234567890%3Agoogle%3Ahttps%3A%2F%2Fwhoami.mydomain.com%2Fsecure%2Fabc&code=41234567890&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=none
traefik-forward-auth
is not processing this response and applies the public (whoami)
rule.
If I navigate again to the /secure
endpoint, a second CSRF cookie will be added. Now I have two. With each try an additional cookie will be added. No auto-cleanup.
This is the debug lo:
time="2022-04-16T19:50:02Z" level=debug msg="Authenticating request" cookies="[]" handler=Auth host=whoami.mydomain.com method=GET proto=https rule=whoami-secure source_ip=1.2.3.4 uri=/secure
time="2022-04-16T19:50:02Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf_123=123; Path=/; Domain=whoami.mydomain.com; Expires=Sat, 16 Apr 2022 20:50:02 GMT; HttpOnly; Secure" handler=Auth host=whoami.mydomain.com login_url="https://accounts.google.com/o/oauth2/auth?client_id=81234567890.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Fwhoami.mydomain.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=12345678890%3Agoogle%3Ahttps%3A%2F%2Fwhoami.mydomain.com%2Fsecure" method=GET proto=https rule=whoami-secure source_ip=1.2.3.4 uri=/secure
time="2022-04-16T19:50:05Z" level=debug msg="Allowing request" cookies="[_forward_auth_csrf_123=123]" handler=Allow host=whoami.mydomain.com method=GET proto=https rule=whoami source_ip=1.2.3.4 uri="/_oauth?state=d7955fbdc6b59f0440d69ab55138547f%3Agoogle%3Ahttps%3A%2F%2Fwhoami.mydomain.com%2Fsecure&code=1234567890&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=none"
time="2022-04-16T19:50:05Z" level=debug msg="Allowing request" cookies="[_forward_auth_csrf_123=123]" handler=Allow host=whoami.mydomain.com method=GET proto=https rule=whoami source_ip=1.2.3.4 uri=/favicon.ico
time="2022-04-16T19:51:50Z" level=debug msg="Authenticating request" cookies="[_forward_auth_csrf_123=123]" handler=Auth host=whoami.mydomain.com method=GET proto=https rule=whoami-secure source_ip=1.2.3.4 uri=/secure/abc
time="2022-04-16T19:51:50Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf_987=987; Path=/; Domain=whoami.mydomain.com; Expires=Sat, 16 Apr 2022 20:51:50 GMT; HttpOnly; Secure" handler=Auth host=whoami.mydomain.com login_url="https://accounts.google.com/o/oauth2/auth?client_id=1234567890.apps.googleusercontent.com&prompt=select_account&redirect_uri=https%3A%2F%2Fwhoami.mydomain.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=1234567890%3Agoogle%3Ahttps%3A%2F%2Fwhoami.mydomain.com%2Fsecure%2Fabc" method=GET proto=https rule=whoami-secure source_ip=1.2.3.4 uri=/secure/abc
time="2022-04-16T19:51:54Z" level=debug msg="Allowing request" cookies="[_forward_auth_csrf_123=123 _forward_auth_csrf_987=987]" handler=Allow host=whoami.mydomain.com method=GET proto=https rule=whoami source_ip=1.2.3.4 uri="/_oauth?state=1234567890%3Agoogle%3Ahttps%3A%2F%2Fwhoami.mydomain.com%2Fsecure%2Fabc&code=1234567890&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=none"
time="2022-04-16T19:51:54Z" level=debug msg="Allowing request" cookies="[_forward_auth_csrf_123=123 _forward_auth_csrf_987=987]" handler=Allow host=whoami.mydomain.com method=GET proto=https rule=whoami source_ip=1.2.3.4 uri=/favicon.ico
@dannyyy have you fix this redirect to google?
i have the same issue, did u resolve this?
The problem is that buildRoutes()
function adds the rule-based routes before adding route for AuthCallbackHandler
, leading to the AuthHandler to respond to everything and generating an infinite redirect-route. I believe the order of these should be swapped.
I tried different rules and orders to get it work. But there seems to be a major misconfiguration in my manifest or the rule engine is buggy. I appreciate every support I can get.
Expected Result Public:
https://whoami.mydomain.com/*
should be allowed without authentication Protected:https://whoami.mydomain.com/secret/*
must require authenticationTried Rules and its Results The impact of the following rules has been tested out and logging has been enabled with
debug
severity.Public: Request for authentication because the
default
rule matched. (unexpected) Protected: Request for authentication because thewhoami-secure
rule matched. (expected)Public: Request for authentication because the
default
rule matched. (unexpected) Protected: Request for authentication because thewhoami-secure
rule matched. (expected)Public: Unauthorized access possible because the
whoami
rule matched. (expected) Protected: Request for authentication because thewhoami-secure
rule matched. But with wrong redirect. The redirect tohttps://whoami.mydomain.com/_oauth/...
is final (rulewhoami
matches), no cookie set, and no proper redirect to the origin url. (unexpected)Public: Unauthorized access possible because the
whoami
rule matched. (expected) Protected: Unauthorized access possible because thewhoami
rule matched. (unexpected)Public: Unauthorized access possible because the
whoami
rule matched. (expected) Protected: Unauthorized access possible because thewhoami
rule matched. (unexpected)traefik-forward-auth Confifuration My installation / configuration follows the example
advanced-separate-pod
.