This reverts commit 9c61c49ec2.
The original fix broke nginx deployments using `auth_request`. When `/oauth2/auth` returns 302,
nginx's `auth_request` module treats this as an internal error:
[error] auth request unexpected status: 302 while sending to client
nginx then returns **500 Internal Server Error** to the browser.
> If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403,
> the access is denied with the corresponding error code. Any other response code returned by the
> subrequest is considered an error.
https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
The nginx `auth_request` module has strict semantics (non-negotiable):
| Subrequest status | nginx behavior |
|---|---|
| 2xx | Allow request |
| 401 / 403 | Deny → trigger `error_page` |
| **Any other status** | **Internal error → 500** |
The `/oauth2/auth` endpoint is used as a **policy oracle** (yes/no decision),
not as a browser-facing endpoint. It cannot return redirects.
Any nginx deployment with:
- `skip-provider-button=true`
- Using `auth_request` directive
Will receive 500 errors instead of the expected authentication flow.
The correct fix for #334 is a **documentation update**, not a code change:
```nginx
error_page 401 = @oauth2_signin;
location @oauth2_signin {
return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
}
```
This keeps `/oauth2/auth` as a pure 401/2xx oracle and lets nginx perform the proper 302 redirect to the browser.
- Original Issue: #334
- Regression introduced in PR: #3309
Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: Return 302 redirect from AuthOnly when skip-provider-button is true
When SkipProviderButton is enabled and a user needs to login, the AuthOnly
endpoint now returns a 302 redirect directly to the OAuth provider instead
of returning 401.
This fixes an issue with nginx auth_request architecture where 401 triggers
error_page handling, which can break redirect flows because nginx overrides
the status code (e.g., to 403), and browsers don't follow Location headers
for non-3xx responses.
Fixes: #334
Signed-off-by: Stefan Markmann <stefan@markmann.net>
* update docs and changelog
Signed-off-by: Stefan Markmann <stefan@markmann.net>
* test: Add specific OAuth redirect assertions per code review feedback
Improve TestAuthOnlyEndpointRedirectWithSkipProviderButton to verify
that the Location header actually redirects to the OAuth provider's
authorize endpoint with required parameters (client_id, redirect_uri,
state), not just that a Location header exists.
Signed-off-by: Stefan Markmann <stefan@markmann.net>
* refactor: Flatten AuthOnly error handling structure
Move the SkipProviderButton check outside of the nested err != nil block
using an if-else structure. This makes the special case more visible and
reduces nesting depth without changing behavior.
Signed-off-by: Stefan Markmann <stefan@markmann.net>
* doc: backport to v7.14.x
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Fix WebSocket proxy to respect PassHostHeader setting
When PassHostHeader is set to false, the regular HTTP proxy correctly
sets the Host header to the upstream backend URL. However, the WebSocket
proxy was not respecting this setting, causing WebSocket connections to
fail when backend services validate the Host header.
This commit:
- Adds passHostHeader parameter to newWebSocketReverseProxy()
- Applies setProxyUpstreamHostHeader() when PassHostHeader=false
- Ensures consistent behavior between HTTP and WebSocket proxies
Fixes#3288
Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com>
* chore(): add tests, update changelog
Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com>
---------
Signed-off-by: Pascal Schmiel <pascal.schmiel@gmail.com>
* docs: add Kubernetes Dashboard integration guide for Azure Entra ID
Add comprehensive documentation for integrating oauth2-proxy with
Kubernetes Dashboard on Azure Kubernetes Service (AKS) using Azure
Entra ID authentication.
Changes:
- Add new section "Kubernetes Dashboard on AKS" to ms_entra_id.md
with complete configuration examples including:
- Architecture overview and integration flow
- Alpha configuration for oauth2-proxy Helm chart
- Dashboard Ingress with proper auth annotations
- RBAC configuration (user-based and group-based)
- Troubleshooting guide for common issues
- Workload Identity (passwordless) setup
- Add reference link in integration.md pointing to the new section
for users looking for Kubernetes Dashboard integration examples
This addresses common issues users face when integrating Dashboard
with Entra ID, particularly:
- Missing Authorization header in auth-response-headers
- Insufficient buffer sizes for large Entra ID tokens
- RBAC permission configuration
- Group claims setup
Closes: oauth2-proxy/manifests#348
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
* docs: split integration.md into separate integration guides
Split the monolithic integration.md file into a structured integrations
directory with individual pages for each tool as requested by maintainer.
Changes:
- Create new docs/configuration/integrations/ directory structure
- Split content into separate files:
- nginx.md: Nginx auth_request directive configuration
- traefik.md: Traefik v2 ForwardAuth middleware setup
- caddy.md: Caddy v2 forward_auth directive configuration
- kubernetes-dashboard.md: K8s Dashboard integration (with deprecation notice)
- headlamp.md: Headlamp integration guide (recommended alternative)
- Transform integration.md into an index/overview page linking to all integrations
- Update docs/sidebars.js to use new Integration Guides category structure
The content has been preserved as-is from the original file, only
reorganized into separate files for better maintainability and
navigation. Added deprecation notice for Kubernetes Dashboard per
0ba796dce6
Addresses maintainer feedback from PR #3299
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
* fix: restore Kubernetes Dashboard tip box in nginx integration docs
Add back the tip box referencing the Kubernetes Dashboard Azure Entra ID
integration example that was present in the original integration.md file.
This ensures all content from the original file is preserved in the split
documentation structure.
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
* refactor: move Kubernetes Dashboard details to integration guide
Move the detailed Kubernetes Dashboard integration content from the
ms_entra_id provider documentation to the integrations section where
it logically belongs.
Changes:
- Move complete K8s Dashboard guide from ms_entra_id.md to
integrations/kubernetes-dashboard.md (architecture, configuration,
RBAC, troubleshooting, Workload Identity)
- Replace detailed section in ms_entra_id.md with brief reference
to integration guide
- Reorder sidebar: Headlamp before Kubernetes Dashboard
- Update integration.md index to show Headlamp first (recommended),
Dashboard last (deprecated)
This improves documentation organization by keeping integration guides
in the integrations/ directory and provider docs focused on provider
configuration.
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
* docs: move integration.md to integrations/index.md
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Pierluigi Lenoci <pierluigi.lenoci@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* Fix session refresh handling in OIDC provider
- `s.Refreshed` was always `false` as the session object was not updated
- `ValidateURL` is, by default, not configured for OIDC providers. Access token validation now only happens when a validation endpoint is available.
Signed-off-by: Michael Gysel <michael.gysel@unblu.com>
* Update changelog
Signed-off-by: Michael Gysel <michael.gysel@unblu.com>
---------
Signed-off-by: Michael Gysel <michael.gysel@unblu.com>
* partly address #2120 and more aggressively truncate access_token
- leaking half of the access token to the logs seems problematic from
a security point of view
- also noisier than necessary logging
- fixed by truncating to at most first 5 chars (e.g. `ya29.`)
Signed-off-by: Martin Nowak <code@dawg.eu>
* feat: more aggressively truncate logged access_token; add unit test and changelog
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Martin Nowak <code@dawg.eu>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* docs: add Cisco Duo SSO provider documentation
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: backport to versioned docs 7.13 and fix alphabetical order of entries
Signed-off-by: Jan Larwig <jan@larwig.com>
* doc: improved clarity for the cisco duo configuration steps
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
Stefan Markmann
Jan Larwig
github-actions[bot]
Sourav Agrawal
Shriya Kamat Tarcar
Pascal
Pierluigi Lenoci
Michi Gysel
dawg
renovate[bot]
Drew Foehn
NirronCD