Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle 302 Found Redirects when using the webhook filter #3130

Open
FergusInLondon opened this issue Jun 27, 2024 · 1 comment
Open

Handle 302 Found Redirects when using the webhook filter #3130

FergusInLondon opened this issue Jun 27, 2024 · 1 comment
Assignees
@FergusInLondon

Comments

@FergusInLondon
Copy link

FergusInLondon commented Jun 27, 2024
edited
Loading

Is your feature request related to a problem? Please describe.
The Skipper webhook filter allows requests to be filtered based on the status code received from an authorisation/authentication endpoint. By default, Skipper will return an empty response with a status code of 401 or 403 if a request is rejected.

This behaviour is well-suited to API traffic, but doesn't work for frontend traffic where the user agent should be redirected upon rejection.

Describe the solution you would like
When an authentication endpoint returns a HTTP redirect - i.e. a HTTP 302 Found - then Skipper should return that redirect to the user agent.

These changes would be limited to:

  1. Introducing a new conditional to catch responses with a status code of 302 - in webhook.go#L124-L128.
  2. Introducing a new function - redirect - which is the equivalent of the existing reject function - in auth.go#L136-L142 - but copies the Location header from the authentication endpoint response.

This should not be a breaking change as currently 302 Found has no specific meaning to the webhook filter: it's caught by the default behaviour which returns 401 Unauthorized.

Would you like to work on it?
Yes, I have a Pull Request prepared - #3131
FergusInLondon added a commit to FergusInLondon/skipper that referenced this issue Jun 27, 2024
@FergusInLondon
webhook filter: allow client redirects via 302 responses (zalando#3130)
fe41415 
This commit changes the behaviour of the webhook filter when a 302 Found
response is recieved from the AuthN/AuthZ endpoint. As a result, it allows
front-end facing (i.e. non-API) traffic to be filtered via the webhook.

Documentation updates and increased test coverage is included.

Incidental: Prevent the webhook client from following redirects from the
AuthN/AuthZ endpoint: during testing I realised that the default `net/http`
behaviour was in use - i.e. redirects were followed.

Signed-off-by: Fergus Morrow <fergus@ometria.com>
@FergusInLondon FergusInLondon mentioned this issue Jun 27, 2024
Open
@szuecs
Copy link
Member

szuecs commented Jul 1, 2024

thanks, reviewed the PR, feature wise I think it's fine but implementation needs to be changed as I wrote in PR comment. Discussion in PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FergusInLondon FergusInLondon

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@szuecs @FergusInLondon