* docs(nginx): Clarify auth_request redirect pattern with named location
Update the nginx integration documentation to recommend using a named location
(@oauth2_signin) for the error_page directive instead of the previous
'error_page 401 =403' approach.
The named location pattern ensures the browser receives a proper 302 redirect,
which is required for --skip-provider-button=true to work correctly.
The previous pattern (error_page 401 =403 /oauth2/sign_in) returned a 403
status with a Location header. Browsers do not auto-follow redirects on 403
responses, causing users to see a 'Found.' link instead of being automatically
redirected to the IdP.
Changes:
- Updated main nginx example to use @oauth2_signin named location
- Added 'Understanding the error_page redirect pattern' section
- Added warning about the limitations of 'error_page 401 =403'
- Updated local test environment (contrib/local-environment/nginx.conf)
Refs: #334
Signed-off-by: Stefan Markmann <stefan@markmann.net>
* docs: clarify browser vs API routes for nginx auth_request redirects
Add new "Browser vs API Routes" section explaining:
- Use 302 redirect to /oauth2/sign_in only for browser-facing routes
- Use 401/403 without redirect for API/machine clients
This ensures:
- Browsers get a redirect and smooth login flow
- API clients fail fast with appropriate HTTP status codes
- /oauth2/auth remains a pure boolean oracle (2xx/401)
Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
This reverts commit 9c61c49ec2.
The original fix broke nginx deployments using `auth_request`. When `/oauth2/auth` returns 302,
nginx's `auth_request` module treats this as an internal error:
[error] auth request unexpected status: 302 while sending to client
nginx then returns **500 Internal Server Error** to the browser.
> If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403,
> the access is denied with the corresponding error code. Any other response code returned by the
> subrequest is considered an error.
https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
The nginx `auth_request` module has strict semantics (non-negotiable):
| Subrequest status | nginx behavior |
|---|---|
| 2xx | Allow request |
| 401 / 403 | Deny → trigger `error_page` |
| **Any other status** | **Internal error → 500** |
The `/oauth2/auth` endpoint is used as a **policy oracle** (yes/no decision),
not as a browser-facing endpoint. It cannot return redirects.
Any nginx deployment with:
- `skip-provider-button=true`
- Using `auth_request` directive
Will receive 500 errors instead of the expected authentication flow.
The correct fix for #334 is a **documentation update**, not a code change:
```nginx
error_page 401 = @oauth2_signin;
location @oauth2_signin {
return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
}
```
This keeps `/oauth2/auth` as a pure 401/2xx oracle and lets nginx perform the proper 302 redirect to the browser.
- Original Issue: #334
- Regression introduced in PR: #3309
Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
* fix: Return 302 redirect from AuthOnly when skip-provider-button is true
When SkipProviderButton is enabled and a user needs to login, the AuthOnly
endpoint now returns a 302 redirect directly to the OAuth provider instead
of returning 401.
This fixes an issue with nginx auth_request architecture where 401 triggers
error_page handling, which can break redirect flows because nginx overrides
the status code (e.g., to 403), and browsers don't follow Location headers
for non-3xx responses.
Fixes: #334
Signed-off-by: Stefan Markmann <stefan@markmann.net>
* update docs and changelog
Signed-off-by: Stefan Markmann <stefan@markmann.net>
* test: Add specific OAuth redirect assertions per code review feedback
Improve TestAuthOnlyEndpointRedirectWithSkipProviderButton to verify
that the Location header actually redirects to the OAuth provider's
authorize endpoint with required parameters (client_id, redirect_uri,
state), not just that a Location header exists.
Signed-off-by: Stefan Markmann <stefan@markmann.net>
* refactor: Flatten AuthOnly error handling structure
Move the SkipProviderButton check outside of the nested err != nil block
using an if-else structure. This makes the special case more visible and
reduces nesting depth without changing behavior.
Signed-off-by: Stefan Markmann <stefan@markmann.net>
* doc: backport to v7.14.x
Signed-off-by: Jan Larwig <jan@larwig.com>
---------
Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
Stefan Markmann
github-actions[bot]
Jan Larwig