Oathkeeper v26.2.0 redirect error handler drops https #1267
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
Hi all, when upgrading to Oathkeeper v26.2.0 from v25.4.0 I see a weird redirection behavior with session authentication. I have setup the following
errors:
fallback:
- redirect
handlers:
redirect:
enabled: true
config:
to: https://blub.bla/login
return_to_query_param: return_to
and also configured:
serve:
proxy:
port: 4455
trust_forwarded_headers: true
I am certain my ingress (contour) correctly sets the X-Forwarded-Proto header to https. But since the upgrade all my redirects are redirecting to http instead of https.
My suspicion is this commit Only use X-Forwarded-Proto header when trusted e9acca1 is causing the behavior. I just can't understand why, because I have configured trust_forwarded_headers: true .
Thanks for checking!
Reproducing the bug
Setup Oathkeeper with below container spec:
- name: oathkeeper
image: ory-oathkeeper-image-placeholder
imagePullPolicy: IfNotPresent
args:
- serve
- proxy
- --config
- /etc/config/oathkeeper.yaml
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
ports:
- containerPort: 4455
name: proxy-port
- containerPort: 4456
name: api-port
volumeMounts:
- name: oathkeeper-rules-vol
mountPath: /etc/rules
readOnly: true
- name: oathkeeper-config-vol
mountPath: /etc/config
readOnly: true
livenessProbe:
httpGet:
path: /health/alive
port: 4456
initialDelaySeconds: 5
readinessProbe:
httpGet:
path: /health/ready
port: 4456
initialDelaySeconds: 5
Relevant log output
N/ARelevant configuration
log:
level: error
leak_sensitive_values: false
serve:
proxy:
port: 4455
trust_forwarded_headers: true
access_rules:
repositories:
- file:///etc/rules/access-rules.json
errors:
fallback:
- redirect
handlers:
redirect:
enabled: true
config:
to: https://myloginapp.secret
return_to_query_param: return_to
json:
enabled: true
config:
verbose: true
mutators:
noop:
enabled: true
header:
enabled: true
config:
headers: {}
authorizers:
allow:
enabled: true
deny:
enabled: true
authenticators:
noop:
enabled: true
cookie_session:
enabled: true
config:
check_session_url: http://kratos-public.cluster.local:80/sessions/whoami
preserve_path: true
extra_from: "@this"
subject_from: "identity.id"
only:
- ory_kratos_session
oauth2_introspection:
enabled: true
config:
introspection_url: http://hydra-admin.svc.cluster.local:4445/admin/oauth2/introspect
preserve_host: true
scope_strategy: exact
introspection_request_headers:
"x-forwarded-proto": "https"
required_scope:
- "test"
target_audience:
- "hellohello"
trusted_issuers:
- "https://scammer.org/"Version
v26.2.0
On which operating system are you observing this issue?
None
In which environment are you deploying?
Kubernetes
Additional Context
No response