New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Whitelist domains #15
Conversation
Doesn't the cookie-domains option already allow you to do this? What is the difference? |
It does not. There is a security check in place as part of any OAuth2 flow that you should have a predefined list of approved "redirect URLs". The initial request to the OAuth2 Proxy will have an This PR allows you to set the redirect URL to be on a different domain than the OAuth2 proxy is hosted. With the current behaviour, if I have the OAuth2 proxy hosted at As I say, it is standard to be able to redirect to a different domain as part of OAuth2 but there has to be a validated list, which is what we are implementing in this PR. As for the cookie domain, that is only used when returning the Does that answer your question @danihodovic? |
Yes, thanks! 👍 I've worked around this problem by having |
d795222
to
c28be1c
Compare
This is great! It's one of the most popular PR in the bitly project, I'm looking forward to see this in push/oauth2_proxy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once conflicts are fixed :)
bf7af5f
to
987b25f
Compare
Hey @JoelSpeed , I've tested the branch. It works so good! Thanks for the great job. Thx |
I was just waiting on a sanity check after my rebase but since the tests didn't break I don't think I've changed the behaviour, which is good to know 😅 I'll get this merged shortly |
@syscll Got a moment to re-approve this? Pushing to the branch dismissed the review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
I would love to see this released in 3.1.0 :) |
My current plan is to get #16 wrapped up and then cut a new release at that point, hopefully within the next week or so 😄 |
3.1.0 is now release with white-list domain support. Well done everyone 🎉 ! |
The |
added th new packages AI web path
* Fix vulnerabilities
This PR replaces: bitly/oauth2_proxy#464
Fixes: #12
Description
Adds a
whitelist-domain
flag that can be used to whitelist a set of domains for the redirect parameter in the authentication requestMotivation and Context
I wrote this to fix #399.
It allows you to set a whitelist of redirect domains which is useful when you wish to run 1 copy of the oauth2_proxy but protect multiple different endpoints (used particularly in the nginx auth_request mode)
How Has This Been Tested?
This has been running for us in production for nearly a year.
Checklist: