-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow usage of go-gatekeeper as auth-service for traefik forward-auth (or nginx auth_request or similar) #206
Comments
The This means that adding something like this to go-gatekeeper will probably allow it to be used for many similar use-cases (if go-gatekeeper is able to return a simple 401 response for failed token validations instead of redirecting to a login page, which I am still unsure about). |
@ChristianCiach you can switch off redirecting to a login page by using option: |
@p53 Thanks. I think the docs are probably explicit enough. I just didn't try out this stuff before creating this issue. The comment "used with forward proxies" probably also threw me off. But we should probably change this line if Gatekeeper will be made to work with forward-auth to mention this use-case also. |
@ChristianCiach yes i can update it, it is useful also when you would like protect just APIs and use client credentials grant (that could be probably also mentioned more explicitly in docs), but for your use case when token will be valid, request will be forwarded to upstream, that means in current situation either request will hit your backend twice, one for gatekeeper and one for traefik or you will have to have some dummy backend which always returns 200 and that would be configured as upstream in gogatekeeper. For forward-auth request it would be probably best to have some /oauth/validate endpoint or similar that would do same thing as validation with no-redirect except it would not forward, need to check/think about this. |
Yes, I agree, that would be even better than a dummy upstream-url like oauth2-proxy is using. Thanks for actually considering this! |
I actually was considering that, but I would rather avoid that to keep things as simple as possible. I also have to consider the footprint, because resources are scarce and we may need to deploy many instances of go-gatekeeper. |
@ChristianCiach i implemented features which enable you to configure gogatekeeper as forward-auth https://github.com/gogatekeeper/gatekeeper/blob/master/docs/user-guide.md#forward-auth, done it this way because it is more general and allows more use-cases, you can try 1.7.0-rc1 release, there is image in quay.io |
Awesome, thank you very much! I will test this tomorrow or later this week at the latest. |
@p53 I see that you also included a new "header matching" mechanism together with the What is the header matching good for? What problems are you trying to solve with it? I have the feeling I am missing something important. |
@ChristianCiach as i checked traefik and nginx forward-auth configuration, with traefik you must have fixed forward-auth url: |
@ChristianCiach how it worked to you? |
@p53 I am very embarrassed that testing this stuff takes so much longer than you took to implement it 😅 I am currently busy with unforseen stuff at work, but I promise I get back to you very soon!
Yes, this makes perfect sense! Thank you for thinking ahead. |
Most likely I will thoroughly test this with multiple traefik IngressRoutes tomorrow! You may want to hold back the final release of 1.7.0 until then. Sorry for leaving you hanging! (Actually, when I created this feature request, I thought "well, this will probably take a few months...". You took me by surprise by implementing it that quickly. So I didn't reserve time for testing it 😄) |
@ChristianCiach no hurry, just take your time...., i will leave this issue opened anyway until you confirm that it works for you |
I am testing 1.7.0-rc2, but I cannot get it to work. This is my current Deployment: apiVersion: apps/v1
kind: Deployment
metadata:
name: dashboard-apis-oauth
namespace: censored
spec:
selector:
matchLabels:
app.kubernetes.io/name: dashboard-apis-oauth
template:
metadata:
labels:
app.kubernetes.io/name: dashboard-apis-oauth
spec:
containers:
- args:
- --client-id=dashboard
- --no-redirects=true
- --no-proxy=true
- --listen=0.0.0.0:4180
- --discovery-url=https://auth-censored.experimental.local/auth/realms/censored
env:
- name: SSL_CERT_FILE
value: /cacerts/tls.ca
image: quay.io/gogatekeeper/gatekeeper:1.7.0-rc2
livenessProbe:
httpGet:
path: /oauth/health
port: 4180
initialDelaySeconds: 5
periodSeconds: 60
name: oauth-proxy
ports:
- containerPort: 4180
name: oauth
volumeMounts:
- mountPath: /cacerts
name: cacerts
volumes:
- name: cacerts
secret:
items:
- key: tls.ca
path: tls.ca
secretName: dashboard-apis-cacerts-25k7g68k7t This is the traefik middleware: apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
labels:
app.kubernetes.io/name: dashboard-apis-oauth
app.kubernetes.io/part-of: dashboard
name: dashboard-apis-oauth
namespace: censored
spec:
forwardAuth:
address: http://dashboard-apis-oauth.censored:4180/oauth/authorize Observations, in no specific order:
Do you have an idea? Can I provide anything to debug this? |
Interestingly, Traefik passes the |
|
@ChristianCiach i think i will have to give some example in docs on protecting REST API's with gatekeeper because it seems it is not very known thing |
Yes, it is in the documentation, but maybe there should be a complete example for the forward-auth use case. I still think it's a bit confusing, but maybe that's just me :)
I've seen this, but I would rather avoid this option, since this hostname is especially important to verify. Thanks for the pointer, though!
Thanks for this!
Thanks, this works! I would probably never have guessed that 😄 Maybe my brain is still too attached to how oauth2-proxy works. I can confirm that this works with a valid token and properly returns 401 when the token is missing, expired or corrupt. In case of a corrupt token (just removed a character from the JWT signature part), gatekeeper logs this:
When the token is missing, it logs this:
In both cases it states a redirect, which isn't actually happening. This is not a big issue, just a cosmetic thing. I will also try the header-matching thingy, but probably not today. I see that you have unit tests for this, so I trust that this will work. |
Will this even have any effect when using forward-auth? As I understand it, Traefik will only ever request the |
|
Thanks for everything so far! It seems to work just fine, ignoring the small cosmetic issues in the logs. Have a nice evening! |
Now that 1.7.0 is out and this seems to work fine, I will close this issue. Thanks again! |
ChristianCiach: Do you use header matching feature or do you use I use the exact settings from forward-auth documentation example but I don't understand the last two lines.
How to set allowed resources with keycloak? Are there defaults for |
@bcm0 replied to you also on discord
|
Let me preface my issue by saying that I absolutely love this project! This is exactly what we need and I am especially excited for the teased OPA integration.
Previously we were using oauth2-proxy, but this leaves a lot to be desired and the configuration is awkward at best. With gogatekeeper we are only missing a single little feature, which leads me to this request.
Summary
Instead of using gogatekeeper as a reverse-proxy, we would like to use it as an auth-service together with Traefik's forward-auth. This is actually possible with oauth2-proxy, but the configuration is really awkward. The relevant part of our pod-spec for the oauth2-proxy looks like this:
This is the corresponding Traefik-Middleware configuration:
Why?
The idea is to (additionally) secure our Rest-APIs at the ingress controller (Traefik) before a request hits the actual backend service. Traefik takes the requests and forwards it to the configured "forward-auth" service.
How
As you can see from the example above, oauth2-proxy allows the configuration of a special upstream-url with the schema
static://
, for example:--upstream=static://202
. This makes oauth2-proxy return a simple 202 response with an empty body if a token is successfully validated. This makes it very easy to use it with traefik's forward-auth. Of course, there is no need exactly replicate this in gogatekeeper. I would be totally fine with something like..Additional Information
After having written all of this... Does gogatekeeper even allow simple JWT-validation without initiating the auth-code-flow if the token is missing or invalid? I've not tried this yet and the documention is not perfectly clear to me in this regard.
The text was updated successfully, but these errors were encountered: