You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When the whitelist-domain configuration does not match the redirect URL, the user is still redirected to the oauth2-proxy root URL ("/") instead of being halted with an HTTP 403 error
--whitelist-domain=localhost
For us, this has led to a redirection to a page that does not exist when accessed from the outside on the first attempt (which triggers a 403 or 404 error by default backend config) but has a valid OAuth2 proxy cookie afterwards. On the user's second attempt (because no external authentication redirect occurs), they are authenticated and can access the website, even though it is not on the whitelist domain.
OAuth2-Proxy Version
7.6.0
Provider
azure
Expected Behaviour
When the whitelist-domain configuration does not match the redirect URL, the user is still redirected to the oauth2-proxy root URL ("/") instead of being halted with an HTTP 403 error
For us, this has led to a redirection to a page that does not exist when accessed from the outside on the first attempt (which triggers a 403 or 404 error by default backend config) but has a valid OAuth2 proxy cookie afterwards. On the user's second attempt (because no external authentication redirect occurs), they are authenticated and can access the website, even though it is not on the whitelist domain.
Current Behaviour
calling http://localhost:4180/oauth2/start?rd=https://example.com/foo
Steps To Reproduce
Possible Solutions
Instead of sending a 302 on invalid redirect, send a 403
Configuration details or additional information
We are using Ingress-Nginx External OAUTH Authentication.
If it's an expected behavior for some reason feel free to close this issue with a comment
The text was updated successfully, but these errors were encountered: