forward-auth and webhook filter - always 200

[ppoloskov]

I'm trying to setup a kubernetes playground with Skipper as ingress contoller and authelia as auth service.
Skipper is ghcr.io/zalando/skipper:v0.21.223, Authelia ghcr.io/authelia/authelia:4.38.15

I added one annotation on the ingress:
zalando.org/skipper-filter: webhook("http://auth.networking.svc.cluster.local:9091/api/authz/forward-auth")

However, when I open a protected url, authorization never happens and page just opens.
In the Authelia log I see that access is not authorized with status 302:

{"level":"info","method":"GET","msg":"Access to https://wombat.XXX.net/zb/ (method GET) is not authorized to user \u003canonymous\u003e, responding with status code 302 with location redirect to https://wombat.XXX.net/auth/?rd=https%3A%2F%2Fwombat.XXX.net%2Fzb%2F\u0026rm=GET","path":"/api/authz/forward-auth","remote_ip":"192.168.10.1","time":"2024-12-05T12:11:02+10:00"}

however Skipper acts as if it received 200:

{"audit":"","auth-user":"webhook","duration":5,"flow-id":"","host":"192.168.10.1","level":"info","method":"GET","msg":"","proto":"HTTP/2.0","referer":"","requested-host":"wombat.XXX.net","response-size":405,"status":200,"timestamp":"05/Dec/2024:12:11:02 +1000","uri":"/zb/","user-agent":"curl/8.7.1"}

Config is below:

	  '-access-log-json-enabled',
	  '-address=:8043',
	  '-application-log-json-enabled',
	  //	'-application-log-level=WARN',
	  '-application-log-level=DEBUG',
	  //'-default-filters-prepend=enableAccessLog(2,4,5)->flowId()->xforward()',
	  '-disable-metrics-compat',
	  '-enable-connection-metrics',
	  '-enable-ratelimits',
	  '-enable-route-fifo-metrics',
	  '-enable-route-lifo-metrics',
	  '-expect-continue-timeout-backend=30s',
	  '-experimental-upgrade',
	  '-histogram-metric-buckets=.01,.025,.05,.075,.1,.2,.3,.4,.5,.75,1,2,3,4,5,7,10,15,20,30,60,120,300,600',
	  '-idle-timeout-server=62s',
	  '-insecure-address=:8080',
	  '-keepalive-backend=30s',
	  '-kubernetes-https-redirect',
	  '-kubernetes-in-cluster',
	  '-kubernetes-enable-tls=true',
	  '-kubernetes-ingress-class=skipper',
	  '-kubernetes-path-mode=path-prefix',
	  '-kubernetes',
	  '-forwarded-headers=X-Forwarded-For,X-Forwarded-Host,X-Forwarded-Method,X-Forwarded-Uri,X-Forwarded-Port=443,X-Forwarded-Proto=https',
	  '-max-audit-body=0',
	  '-metrics-exp-decay-sample',
	  '-metrics-flavour=prometheus',
	  '-read-timeout-server=5m',
	  '-response-header-timeout-backend=1m',
	  '-runtime-metrics=false',
	  '-serve-host-metrics',
	  '-wait-first-route-load',
	  '-write-timeout-server=60s',

[MustafaSaber]

Hi, can you add a full set of skipper logs? And maybe the full ingress or example of of it? If feasible also maybe the routing table, you can get it with curl -v http://$SKIPPER_URL/routes?limit=$SOME_BIG_LIMIT
We don't really know ghcr.io/authelia/authelia:4.38.15 what we can do is to try and debug skipper

[AlexanderYastrebov]

I think the problem is that webhook client follows redirects by default (see #3130) and then location from responding with status code 302 with location redirect to https://wombat.XXX.net/auth/?rd=https%3A%2F%2Fwombat.XXX.net%2Fzb%2F\u0026rm=GET" responds with 2xx which makes webhook pass.

[ppoloskov]

Thank you @AlexanderYastrebov. I temporaraly switched to oauth, however I liked forward-auth more, especially fallback to the basic auth.