public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
oauth2-proxy/docs
History
Stefan Markmann cf5d34acf6
revert: "fix: skip provider button auth only redirect (#3309)" (#3314) 
This reverts commit 9c61c49ec2.

The original fix broke nginx deployments using `auth_request`. When `/oauth2/auth` returns 302,
nginx's `auth_request` module treats this as an internal error:

    [error] auth request unexpected status: 302 while sending to client

nginx then returns **500 Internal Server Error** to the browser.

> If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403,
> the access is denied with the corresponding error code. Any other response code returned by the
> subrequest is considered an error.
https://nginx.org/en/docs/http/ngx_http_auth_request_module.html

The nginx `auth_request` module has strict semantics (non-negotiable):

| Subrequest status | nginx behavior |
|---|---|
| 2xx | Allow request |
| 401 / 403 | Deny → trigger `error_page` |
| **Any other status** | **Internal error → 500** |

The `/oauth2/auth` endpoint is used as a **policy oracle** (yes/no decision),
not as a browser-facing endpoint. It cannot return redirects.

Any nginx deployment with:
- `skip-provider-button=true`
- Using `auth_request` directive

Will receive 500 errors instead of the expected authentication flow.

The correct fix for #334 is a **documentation update**, not a code change:

```nginx
error_page 401 = @oauth2_signin;

location @oauth2_signin {
    return 302 /oauth2/sign_in?rd=$scheme://$host$request_uri;
}
```

This keeps `/oauth2/auth` as a pure 401/2xx oracle and lets nginx perform the proper 302 redirect to the browser.

- Original Issue: #334
- Regression introduced in PR: #3309

Signed-off-by: Stefan Markmann <stefan@markmann.net>
Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
 		2026-01-18 00:36:08 +01:00
..
docs revert: "fix: skip provider button auth only redirect (#3309)" (#3314) 2026-01-18 00:36:08 +01:00
src/css Microsoft Entra ID provider (#2390) 2024-12-31 11:46:13 +00:00
static doc: readme overhaul and azure sponsorship (#2826) 2024-10-27 12:12:46 +00:00
versioned_docs revert: "fix: skip provider button auth only redirect (#3309)" (#3314) 2026-01-18 00:36:08 +01:00
versioned_sidebars docs: backport integrations split to v7.14.x & v7.13.x 2026-01-17 11:06:19 +01:00
.gitignore docs: restructure all options and flags (#2747) 2024-08-20 10:40:27 +02:00
README.md doc: SourceHut documentation fixes (#3170) 2025-08-20 12:02:32 +02:00
babel.config.js Migrate existing documentation to Docusaurus 2020-11-05 15:36:27 +00:00
docusaurus.config.js doc: cncf onboarding and sponsor update 2026-01-17 11:04:43 +01:00
package.json chore(deps): update dependency @easyops-cn/docusaurus-search-local to ^0.52.0 (#3131) 2025-07-20 11:07:35 +02:00
sidebars.js docs: split integration.md into separate integration guides (#3299) 2026-01-16 09:37:52 +01:00
versions.json add new docs version 7.14.x 2026-01-17 11:04:42 +01:00

README.md

Website

This website is built using Docusaurus 2, a modern static website generator.

Installation

npm install

Local Development

npm start

This command starts a local development server and open up a browser window. Most changes are reflected live without having to restart the server.

Build

npm run build

This command generates static content into the build directory and can be served using any static contents hosting service.

Deployment

GIT_USER=<Your GitHub username> USE_SSH=true npm deploy

If you are using GitHub pages for hosting, this command is a convenient way to build the website and push to the gh-pages branch.