Escape original request URI in sample kubernetes ingress configuration

The current sample configuration for kubernetes ingress demonstrates using the `auth-signin` annotation to redirect a user to oauth2_proxy's signin page. It constructs the link to do so by directly concatenating `$request_uri` as the `rd` parameter, so the sign-in page knows where to send the user after signin is complete. However, this does not work correctly if the original request URI contains multiple query parameters separated by an ampersand, as that ampersand is interpereted as separating query parameters of the `/oauth2/start` URI. For example: If the user requests a URL: https://example.com/foo?q1=v1&q2=v2 they may be redirected to the signin url https://example.com/oauth2/start?rd=https://example.com/foo?q1=v1&q2=v2 and after completing signin, oauth2_proxy will redirect them to https://example.com/foo?q1=v1 nginx-ingress added an $escaped_request_uri variable about a year ago, to help resolve this kind of issue (https://github.com/kubernetes/ingress-nginx/pull/2811)
2025-02-09 13:46:51 +02:00 · 2019-10-01 12:28:00 -07:00 · 2019-10-01 12:28:00 -07:00 · 513af9b714
commit 513af9b714
parent 721d28bd4f
1 changed files with 1 additions and 1 deletions
--- a/docs/configuration/configuration.md
+++ b/docs/configuration/configuration.md
@ -310,7 +310,7 @@ If you use ingress-nginx in Kubernetes (which includes the Lua module), you also

 ```yaml
 nginx.ingress.kubernetes.io/auth-response-headers: Authorization
-nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$request_uri
+nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
 nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
 nginx.ingress.kubernetes.io/configuration-snippet: |
  auth_request_set $name_upstream_1 $upstream_cookie_name_1;