You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I agree to follow the Code of Conduct that this project adheres to.
I have searched the issue tracker for an issue that matches the one I want to file, without success.
Problem Description
We are running Dex IDP (with authproxy connector) behind a reverse proxy (Oauth2) and Istio service mesh. All the users are authenticated via Azure AD using reverse proxy which will carry user headers to Dex IDP to generate a OIDC token for some of our application. In this process, Application try to capture token using /token url of Dex but because of reverse proxy, application is not able to make request to /token as request need authorization from oauth2-proxy.
For work around we have configured skip-auth-routes in our reverse-proxy to disable Authn/Authz requirement on specific set of requests are URLs
/token
/keys
/.well-known/openid-configuration
With skip-auth-routes, whole user journey is working fine. But we don't want to expose these endpoints in skip-auth-route and ever more specifically token endpoint i.e. /token as it can be used by attacker to create unauthorized token and may allow them to gain access to our application.
Proposed Solution
Make token endpoint URL configurable just like Issuer URL.
We would like to configure that URL with internal kubernetes URL, so application can connect to token endpoint URL internal to kubernetes without the requirement of Authn/Authz via Istio Gateway and reverse proxy.
Alternatives Considered
No response
Additional Information
I am happy to submit a PR if feature request is found useful and approved
The text was updated successfully, but these errors were encountered:
Preflight Checklist
Problem Description
We are running Dex IDP (with authproxy connector) behind a reverse proxy (Oauth2) and Istio service mesh. All the users are authenticated via Azure AD using reverse proxy which will carry user headers to Dex IDP to generate a OIDC token for some of our application. In this process, Application try to capture token using
/tokenurl of Dex but because of reverse proxy, application is not able to make request to/tokenas request need authorization from oauth2-proxy.For work around we have configured
skip-auth-routesin our reverse-proxy to disable Authn/Authz requirement on specific set of requests are URLsWith
skip-auth-routes, whole user journey is working fine. But we don't want to expose these endpoints inskip-auth-routeand ever more specifically token endpoint i.e./tokenas it can be used by attacker to create unauthorized token and may allow them to gain access to our application.Proposed Solution
Make token endpoint URL configurable just like Issuer URL.
We would like to configure that URL with internal kubernetes URL, so application can connect to token endpoint URL internal to kubernetes without the requirement of Authn/Authz via Istio Gateway and reverse proxy.
Alternatives Considered
No response
Additional Information
I am happy to submit a PR if feature request is found useful and approved
The text was updated successfully, but these errors were encountered: