mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-03-21 21:47:11 +02:00
513af9b714
The current sample configuration for kubernetes ingress demonstrates using the `auth-signin` annotation to redirect a user to oauth2_proxy's signin page. It constructs the link to do so by directly concatenating `$request_uri` as the `rd` parameter, so the sign-in page knows where to send the user after signin is complete. However, this does not work correctly if the original request URI contains multiple query parameters separated by an ampersand, as that ampersand is interpereted as separating query parameters of the `/oauth2/start` URI. For example: If the user requests a URL: https://example.com/foo?q1=v1&q2=v2 they may be redirected to the signin url https://example.com/oauth2/start?rd=https://example.com/foo?q1=v1&q2=v2 and after completing signin, oauth2_proxy will redirect them to https://example.com/foo?q1=v1 nginx-ingress added an $escaped_request_uri variable about a year ago, to help resolve this kind of issue (https://github.com/kubernetes/ingress-nginx/pull/2811)