From 513af9b714a1250aa9baa5526c80812c7685b796 Mon Sep 17 00:00:00 2001 From: T S Date: Tue, 1 Oct 2019 12:28:00 -0700 Subject: [PATCH] Escape original request URI in sample kubernetes ingress configuration The current sample configuration for kubernetes ingress demonstrates using the `auth-signin` annotation to redirect a user to oauth2_proxy's signin page. It constructs the link to do so by directly concatenating `$request_uri` as the `rd` parameter, so the sign-in page knows where to send the user after signin is complete. However, this does not work correctly if the original request URI contains multiple query parameters separated by an ampersand, as that ampersand is interpereted as separating query parameters of the `/oauth2/start` URI. For example: If the user requests a URL: https://example.com/foo?q1=v1&q2=v2 they may be redirected to the signin url https://example.com/oauth2/start?rd=https://example.com/foo?q1=v1&q2=v2 and after completing signin, oauth2_proxy will redirect them to https://example.com/foo?q1=v1 nginx-ingress added an $escaped_request_uri variable about a year ago, to help resolve this kind of issue (https://github.com/kubernetes/ingress-nginx/pull/2811) --- docs/configuration/configuration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index db47e691..d30f85b5 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -310,7 +310,7 @@ If you use ingress-nginx in Kubernetes (which includes the Lua module), you also ```yaml nginx.ingress.kubernetes.io/auth-response-headers: Authorization -nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$request_uri +nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth nginx.ingress.kubernetes.io/configuration-snippet: | auth_request_set $name_upstream_1 $upstream_cookie_name_1;