Nginx Ingress 将整个 url 作为重定向传递给 oauth 代理 [英] Nginx Ingress pass whole url to oauth proxy as Redirect
问题描述
我正在运行一个带有 Nginx-ingress 的 Kubernetes 集群,该集群面向几个 Web 应用程序.由于 Nginx 默认不支持 SSO/OIDC,我使用 oauth_proxy 进行身份验证.
详细地,我使用 oauth2_proxy (https://github.com/pusher/oauth2_proxy) 和天蓝色广告.
apiVersion: extensions/v1beta1种类:入口元数据:名称:nginx-ingress-internal命名空间:入口-nginx注释:nginx.ingress.kubernetes.io/rewrite-target:/$2nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth"nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start?rd=$escaped_request_uri"nginx.ingress.kubernetes.io/auth-response-headers:授权,x-auth-request-user,x-auth-request-email,x_auth_request_access_token"规格:规则:- 主机:example.com网址:路径:- 路径:/home(/|$)(.*)后端:服务名称:app-homepage-frontend-service服务端口:80- 路径:/homepage-backend(/|$)(.*)后端:服务名称:app-homepage-backend-service服务端口:80
我跳过了一些细节,比如 tls.所以一般来说一切正常,只有经过验证的用户才能访问网页.
问题是我的前端是用 Angular 编写的,它使用哈希路由.如果尝试进入像
这样的深路线https://example.com/home/#/page1/subpage2
只是基本路径 (/home) 作为重定向 url 传递.因此,当我成功获得授权时,我会被重定向到 https://example.com/home.>
Os there any veriable 而不是 $escaped_request_uri,它传递整个 url?
请尝试以下过程可能会有所帮助!
- 添加状态参数将有助于 oauth2_proxy
状态参数
State 参数将在身份验证请求之前保留状态,并在请求中传递随机生成的状态值以进行身份验证,在回调请求中,他们将添加状态,即 Oauth2_Proxy 生成的 id.然后 Oauth2_Proxy 将读取该 ID 并返回 URL 并做出响应.
使用以下链接
https://dev.bitly.com/v4_documentation.html
Bitly Oauth2_Proxy 在那里的代码中添加了相同的内容.
https://github.com/bitly/oauth2_proxy/blob/master/providers/provider_default.go#L87-L89
I am running a Kubernetes Cluster with an Nginx-ingress fronting couple of web apps. Because Nginx doesn't support SSO/OIDC by default, I use an oauth_proxy for authentication.
In detail I use oauth2_proxy (https://github.com/pusher/oauth2_proxy) with Azure AD.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: nginx-ingress-internal
namespace: ingress-nginx
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/auth-url: "https://example.com/oauth2/auth"
nginx.ingress.kubernetes.io/auth-signin: "https://example.com/oauth2/start?rd=$escaped_request_uri"
nginx.ingress.kubernetes.io/auth-response-headers: "authorization, x-auth-request-user, x-auth-request-email, x_auth_request_access_token"
spec:
rules:
- host: example.com
http:
paths:
- path: /home(/|$)(.*)
backend:
serviceName: app-homepage-frontend-service
servicePort: 80
- path: /homepage-backend(/|$)(.*)
backend:
serviceName: app-homepage-backend-service
servicePort: 80
I skiped some details like tls. So in general everything is working, only verified users are able to access the web pages.
The issue is that my frontend is writte in Angular which use hash-routing. And if try to enter a deep route like
https://example.com/home/#/page1/subpage2
just base path (/home) is passed as redirect url. So when I'm authorized successfully, I get redirected to https://example.com/home.
Os there any veriable instead of $escaped_request_uri, which pass the whole url?
Please try with below process might be it will help!!
- Adding State Parameter will help for oauth2_proxy
State Parameter
State parameter will reserve the state prior to authentication request and pass random generated state value in request to authenticate and in call back request they will add state back i.e. Oauth2_Proxy generated id. Then Oauth2_Proxy will read that ID and provide the URL back and respond.
Use below link
https://dev.bitly.com/v4_documentation.html
Bitly Oauth2_Proxy added the same in there code.
https://github.com/bitly/oauth2_proxy/blob/master/providers/provider_default.go#L87-L89
这篇关于Nginx Ingress 将整个 url 作为重定向传递给 oauth 代理的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!