Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prefixing services as subdomains breaks Oauth2 authentication to environments #2573

Closed
smlx opened this issue Mar 16, 2021 · 1 comment
Closed

Prefixing services as subdomains breaks Oauth2 authentication to environments #2573

smlx opened this issue Mar 16, 2021 · 1 comment
Labels
0-kubernetes Vanilla kubernetes support

Comments

@smlx
Copy link
Member

smlx commented Mar 16, 2021
edited
Loading

Describe the bug

Situation: A web developer uses Oauth2 for authentication to their PR environments.

Oauth2 generally is quite strict about limiting redirect URIs to be absolute. The reasons behind this are described in the Oauth2 threat model RFC.

However some Oauth2 providers such as auth0 do allow limited wildcards for subdomains as a convenience. These rules are similar to those for wildcard DNS records. In particular, only the leftmost label in the domain may be a wildcard.

On Openshift this works because for autogenerated routes we prefixed the service, environment, and project to the cluster domain as a single label joined by hyphens. e.g. app-myproject-pr-1234.lagoon.mycluster.example.com.

On k8s however, we separate these components into separate labels e.g. app.pr-1234.myproject.lagoon.mycluster.example.com

This means that there is no way to capture auto-generated domains using a wildcard given the rules linked above.

To Reproduce

Steps to reproduce the behavior:

  1. Deploy a PR environment using Oauth2 via auth0.
  2. Authentication doesn't work.
  3. There's no way to get it working with the current autogenerated router pattern system.

Expected behavior

I would expect existing Lagoon workflows to continue working on kubernetes the same way they work on openshift.

Screenshots

n/a

Additional context

n/a
@smlx smlx added the 0-kubernetes Vanilla kubernetes support label Mar 16, 2021
smlx added a commit that referenced this issue Mar 16, 2021
@smlx
feat: use a single label for the autogenerated route prefix
ec24b74 
Instead of ${service}.${routerPattern}, we can do
${service}-${routerPattern}. This enables some use-cases in kubernetes
that used to work on openshift.

See #2573
@smlx smlx mentioned this issue Mar 16, 2021
Closed
3 tasks
@smlx smlx mentioned this issue May 21, 2021
Closed
@tobybellwood tobybellwood mentioned this issue Aug 9, 2021
Closed
@tobybellwood
Copy link
Member

implemented!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0-kubernetes Vanilla kubernetes support
Projects
None yet
Milestone
No milestone
2 participants
@smlx @tobybellwood