vouch-proxy: redirection from `/auth` to `/auth/$STATE` fails when VP is hosted at a path such as `/vouch` (redirects to `/auth/$STATE` instead of `/vouch/auth/$STATE`)
Use a Paste Service
Link to logs with vouch.testing
set to true
Describe the problem
Vouch has been configured to work with Okta and nginx. With all version up to 0.19.2 it works well. When we update to 0.20.0 or newer versions, the process works until the last redirection after being correctly logged. The reason is that the redirect URL is wrong, it forgets a part.
Instead of redirecting to https://app-dev.our-domain.something/vouch-webapp-dev/auth
it sends to https://app-dev.our-domain.something/auth
and it finishes with a 404 error.
Last lines of the kindof Vouch report generated in testing mode through the browser (after the Okta login screen):
Expected behavior
We expect that version 0.20.0 or newer to work like version 0.19.2 or older, in particular to not get
Additional context
- Nginx main config which includes the VP rule
- Nginx VP cong has the rewriting rule
Vouch config updated (with secure: true
)
We run Vouch on docker-swarm: image: voucher/vouch-proxy:0.19.2
Tests has been run on Chrome 0.89 and Ubuntu 20.10
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 36 (17 by maintainers)
Commits related to this issue
- fix #373 redirect to relative path `./auth` — committed to vouch/vouch-proxy by bnfinet 3 years ago
- #373 use X-Original-URI to set cookie paths When VP is run behind Nginx "in a path" such as `/vouch/validate`, `/vouch/login` etc, its necessary to adjust the path that the session cookie is set i... — committed to vouch/vouch-proxy by bnfinet 3 years ago
- #373 prepend path to /auth/$STATE redirect — committed to vouch/vouch-proxy by bnfinet 3 years ago
- fix #373 redirect to relative path `./auth` — committed to jskrzypek/vouch-proxy by bnfinet 3 years ago
- #373 use X-Original-URI to set cookie paths When VP is run behind Nginx "in a path" such as `/vouch/validate`, `/vouch/login` etc, its necessary to adjust the path that the session cookie is set i... — committed to jskrzypek/vouch-proxy by bnfinet 3 years ago
- #373 prepend path to /auth/$STATE redirect — committed to jskrzypek/vouch-proxy by bnfinet 3 years ago
- #373 avoid router's auto redirection to /auth/ — committed to vouch/vouch-proxy by bnfinet 3 years ago
- #373 extract path from URL for transformation — committed to vouch/vouch-proxy by bnfinet 3 years ago
- #373 set `vouch.document_root` for "vouch in a path" — committed to vouch/vouch-proxy by bnfinet 3 years ago
- #373 VP "in a path" — committed to vouch/vouch-proxy by bnfinet 3 years ago
released in
v0.33.0
Thanks again to @balee @jskrzypek @beingamarnath @MCOfficer and @pommedeterresautee for the testing and debugging support. Very pleased to get this fix into VP.
Apologies, I had a family health crisis last week and was out of office sInce last Tuesday and I’m still playing catch-up. I will try to test it out in the next few businesses days, but it may only be next week.
In the meantime, here’s a dirty little workaround, assuming you don’t need that
/auth
path for something else.@bnfinet I’ll try to test that next week as I’m already nearing EoD. Fwiw my coworkers on Chrome are not having that issue with needing to reload to get the configuration snippet to work
thanks @gsx95 would you be able to publish a fix and confirm it works for the common case (VP at
vouch.mydomain.com/auth
) and then we can ask @pommedeterresautee to build and test on his end?Otherwise it will have to wait for me to get to it 😃
I would be happy to test that version when ready and report here for results.
You are right @bnfinet, this is caused by VP’s hard redirect to
/auth/state
, which doesn’t account for vouch running on its own context path as in this case. A possible fix could be to redirect to./auth/state
instead to keep the context path. One would have to test this of course, but I think this could be a valid solution. Let me know what you think.Your cookie.secure is false but your auth endpoint is https. Usually they should align. Probably should be removed to default secure: true.