Comments (8)
jehiah
commented on July 19, 2024
@hexedpackets can you confirm what version you are using, and if needed try to reproduce with version 1.1.1 if not using that (or newer?). This should have been resolved by #17 which was part of that release.
from oauth2_proxy.
hexedpackets
commented on July 19, 2024
I was using 1.0, just tried with 1.1.1 and had the same result. What I'm seeing is that a single slash gets sent correctly without decoding, such as the test case from #17 of /a%2Fb/. But my triple-slashed URL, /api/queues/%2F/amq.queue, gets turned into /api/queues/amq.queue.
from oauth2_proxy.
jehiah
commented on July 19, 2024
@hexedpackets I'm having trouble reproducing that. Can you describe your setup in a little more detail? Is there something else that might be collapsing path components in your request path?
Could you get a dump of the request as sent from ouath2_proxy upstream by making a curl request with an appropriate cookie that passes authentication (or setting up basic auth for the test) and run a netcat listener as your upstream?
from oauth2_proxy.
hexedpackets
commented on July 19, 2024
Sanitized logs below. pass_basic_auth is disabled in my config since it conflicts with rabbitmq's login, but I can setup something with it enabled if that will help. As you can see in the proxy logs, its seeing /// instead of /%2F/ and sending a redirect without ever forwarding the original request.
Proxy:
$ ./google_auth_proxy -version
google_auth_proxy v1.1.1 (built with go1.4.2)
$ ./google_auth_proxy -config oauth.conf
2015/05/21 14:10:45 mapping path "/" => upstream "http://127.0.0.1:8080"
2015/05/21 14:10:45 OauthProxy configured for [APPID].apps.googleusercontent.com
2015/05/21 14:10:45 Warning: cookie-https-only setting is deprecated and will be removed in a future version. use cookie-secure
2015/05/21 14:10:45 Cookie settings: secure (https):false httponly:true expiry:168h0m0s domain:trywildcard.com
2015/05/21 14:10:45 listening on 0.0.0.0:4180Netcat:
nc -lk 8080 < pipe | tee proxy.log | nc localhost 15672 > pipeCurl:
curl -u guest:guest -Lv -H "Cookie: _oauthproxy=[MYCOOKIE]" localhost:4180/api/queues/%2F/amq.queue
* Adding handle: conn: 0x7ffb89804000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7ffb89804000) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 4180 (#0)
* Trying ::1...
* Connected to localhost (::1) port 4180 (#0)
* Server auth using Basic with user 'guest'
> GET /api/queues/%2F/amq.queue HTTP/1.1
> Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
> User-Agent: curl/7.30.0
> Host: localhost:4180
> Accept: */*
> Cookie: _oauthproxy=[MYCOOKIE]
>
< HTTP/1.1 301 Moved Permanently
< Location: /api/queues/amq.queue
< Date: Thu, 21 May 2015 18:11:15 GMT
< Content-Length: 56
< Content-Type: text/html; charset=utf-8
<
* Ignoring the response-body
* Connection #0 to host localhost left intact
* Issue another request to this URL: 'HTTP://localhost:4180/api/queues/amq.queue'
* Found bundle for host localhost: 0x7ffb894154a0
* Re-using existing connection! (#0) with host localhost
* Connected to localhost (::1) port 4180 (#0)
* Adding handle: conn: 0x7ffb89804000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7ffb89804000) send_pipe: 1, recv_pipe: 0
* Server auth using Basic with user 'guest'
> GET /api/queues/amq.queue HTTP/1.1
> Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
> User-Agent: curl/7.30.0
> Host: localhost:4180
> Accept: */*
> Cookie: _oauthproxy=[MYCOOKIE]
>
< HTTP/1.1 404 Not Found
< Content-Length: 55
< Content-Type: application/json
< Date: Thu, 21 May 2015 18:11:15 GMT
* Server MochiWeb/1.1 WebMachine/1.10.0 (never breaks eye contact) is not blacklisted
< Server: MochiWeb/1.1 WebMachine/1.10.0 (never breaks eye contact)
<
* Connection #0 to host localhost left intact
{"error":"Object Not Found","reason":"\"Not Found\"\n"}Proxy:
::1 - [email protected] [21/May/2015:14:11:15 -0400] localhost:4180 GET - "/api/queues///amq.queue" HTTP/1.1 "curl/7.30.0" 301 56 0.000
::1 - [email protected] [21/May/2015:14:11:15 -0400] localhost:4180 GET 127.0.0.1:8080 "/api/queues/amq.queue" HTTP/1.1 "curl/7.30.0" 404 55 0.013proxy.log from netcat:
GET /api/queues/amq.queue HTTP/1.1
Host: localhost:4180
User-Agent: curl/7.30.0
Accept: */*
Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=
Cookie: _oauthproxy=[MYCOOKIE]
X-Forwarded-For: ::1
Accept-Encoding: gzip
from oauth2_proxy.
hexedpackets
commented on July 19, 2024
Just to cut out a piece of the puzzle, I can replicate this using just netcat without rabbitmq or basic auth by changing the netcat command to
while true; do echo -ne "HTTP/1.0 200 OK\r\n\r\n" | nc -l 8080; done
and using any triple-slashed URL, i.e.
curl -Li -H "Cookie: _oauthproxy=[MYCOOKIE]" localhost:4180/a/%2f/b
from oauth2_proxy.
jehiah
commented on July 19, 2024
thanks. That's helpful. Let me see what i get w/ that.
from oauth2_proxy.
hexedpackets
commented on July 19, 2024
Ugh, I just tried compiling from source and running that binary and the URL is passed upsteam correctly. So I guess its not fixed in the released 1.1.1 (at least on OS X), but it is fixed on master.
Thanks for the help!
from oauth2_proxy.
jehiah
commented on July 19, 2024
@hexedpackets ahh. i didn't realize that. Hopefully in the next week or two i'll cut a new release so no one else runs into that issue.
from oauth2_proxy.
Related Issues (20)
- GitHub Authentication keeps valid after user is removed from org or team HOT 1
- V2.2 is complaining about the google oauth Json file
- will oauth2_proxy support PUT HOT 2
- help with scope setting for okta HOT 1
- HTTP Basic Auth and set-xauthrequest HOT 4
- oauth2_proxy failing on the callback url using oidc provider HOT 1
- failing with oidc provider discovery object
- Safari is not sending cookies when doing CORS requests
- set response_mode
- Recent update of golang.org/x/oauth2/google libraries caused TestRequestSignaturePostRequest to fail
- OIDC provider disappeared in `v2.2` without any notice. HOT 1
- how to handle the callback url and get the login google emaill account? HOT 1
- htpasswd auth not working HOT 2
- Integrating oauth2_proxy with AWS Cognito HOT 3
- Microsoft Azure AD B2C Support
- user-configured redirect URL clobbered in oauthproxy.go HOT 5
- oidc and scope
- Restrict auth to specific Google groups returning Invalid Account HOT 1
- 404 not found on redirect HOT 1
- Cookie Path Defaults to Root '/' Even when Using "proxy-prefix" option
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2_proxy.