vouch-proxy icon indicating copy to clipboard operation
vouch-proxy copied to clipboard
verified publisher icon vouch

Correlate domains to callback_url when using multiple callback_urls

Open bobyin opened this issue 5 years ago • 6 comments

Hi, I'm a still learner for this, hit a problem that

We have a site with multiple domains, for example "tools.com" and "mysite.com",

When I goto dev.tools.com works fine with okta oauth, but dev.mysite.com not, keep looping redirect, don't know why.

Here is my config files and logs

dev.tools.com nginx config: https://hasteb.in/ahaconox.nginx dev.mysite.com nginx config: https://hasteb.in/aqetiwug.nginx vouch-proxy config.yml: https://hasteb.in/xafiyalo.yaml dev.mysite.com log: https://hasteb.in/eroyaqip.json dev.tools.com log: https://hasteb.in/jejuxiha.json

Could you please take a look and advise what is wrong?

Thanks a lot

bobyin avatar Aug 04 '20 08:08 bobyin

in order for mysite.comand world.com you will need to setup multiple callback_urls. VP relies on setting a cookie during the call to /auth

callback_urls: 
 - https://login.tools.com/auth
 - https://login.world.com/auth
 - https://login.mysite.com/auth

in this configuration you will need to remove cookie.domain: mysite.com which will only allow VP to service mysite.com

If you require more support please do turn on testing and submit full logs including startup.

bnfinet avatar Aug 04 '20 12:08 bnfinet

Thanks @bnfinet !!

It works based on your response and one more change in the mysite.com nginx config file,

location @error401 {
    # redirect to Vouch Proxy for login
    return 302 https://login.tools.com/login?url=$scheme://$http_host$request_uri&vouch-failcount=$auth_resp_failcount&X-Vouch-Token=$auth_resp_jwt&error=$auth_resp_err;
}

which change login.tools.com to login.mysite.com

Thanks again!

bobyin avatar Aug 05 '20 03:08 bobyin

Hi @bgehman

Also found a bug I think, in the login.go

	// this checks the multiple redirect case for multiple matching domains
	if len(cfg.GenOAuth.RedirectURLs) > 0 {
		found := false
		domain := domains.Matches(r.Host)
		log.Debugf("/login looking for callback_url matching %s", domain)
		for _, v := range cfg.GenOAuth.RedirectURLs {
			**if strings.Contains(v, domain) {**
				found = true

We have two domains like mysite.com and site.com, when goto dev.site.com will redirect to login.mysite.com.

would be?

if strings.Contains(v, "."+domain) {

Thanks.

bobyin avatar Aug 05 '20 06:08 bobyin

@bobyin hmm, yeah that's probably a bug.

Instead of improving that check, how about creating a map at startup for domain to callback_url. They should be directly correlated. That would also offer a natural check for misconfiguration.

Would you be interested in working on a fix?

bnfinet avatar Aug 05 '20 13:08 bnfinet

Sorry, can't promise it, but I'll try to learn to write something. Thanks

bobyin avatar Aug 06 '20 07:08 bobyin

thanks for the PR #308 @bobyin !

bnfinet avatar Aug 12 '20 12:08 bnfinet