Redirection for oauth2-proxy should return 307 instead of 302

[Ph0tonic]

What happened:

Hi,

I have the following Oauth2 setup. Custom WebService, ingress-nginx, Oauth2-Proxy, KeyCloak as OIDC.
When opening a page with a POST method, the following happens if we are still logged in:

• POST request on api endpoint, ingress-nginx 302 redirects to oauth2-proxy
• GET on /start over oauth2-proxy, returns 302 redirects to keycloak on /auth
• GET on /auth over keycloak, returns 302 redirects to oauth2-proxy on /callback
• GET on /callback over oauth2-proxy, returns 302 redirects to api endpoint
• GET request on api endpoint

The problem here is that the original method is lost due to the return code which are 302 instead of 307. For the browser to respect the method, the 307 response code is required otherwise, the method is lost.

As of the documentation here:

• https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections#temporary_redirections

It seems to me that if ingress-nginx, oauth2-proxy and keycloak were returning 307 response code, then the method would be conserved and the valid api would be reached.

Could it be feasible to change the return code to 307 instead of 302 ?

An issue already exist in oauth2-proxy and I will open a new one in keycloak.

• [Bug]: Redirections return 302 instead of 307 code oauth2-proxy/oauth2-proxy#2903
• Redirection code for valid /auth should be 307 instead of 302 keycloak/keycloak#36272

If we were able to change this response code in both keycloak, oauth2-proxy and ingress-nginx then we would get the working following process:

• POST request on api endpoint, ingress-nginx 307 redirects to oauth2-proxy
• POST on /start over oauth2-proxy, returns 307 redirects to keycloak on /auth
• POST on /auth over keycloak, returns 307 redirects to oauth2-proxy on /callback
• POST on /callback over oauth2-proxy, returns 307 redirects to api endpoint
• POST request on api endpoint

There is no error message but an invalid behavior.

What you expected to happen:

I would expect the server to return a 307 redirection code instead of a 302.

NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):

Not required

Kubernetes version (use kubectl version):

Not required

Environment:

Not required

How to reproduce this issue:

Basic config and add an ingress with the 2 annotations for OAuth2-proxy

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-name
  annotations:
    ingressClassName: nginx
    nginx.ingress.kubernetes.io/enable-cors: "true"
    # oauth
    nginx.ingress.kubernetes.io/auth-signin: "https://keycloak.domaine.demo/oauth2/start?rd=https://$host$request_uri"
    nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.domaine.demo/oauth2/auth"

Anything else we need to know:

There is potentially 2 ways to fix this.

1. add a parameter to configure the return code
2. simply change the return code

[SeWieland]

Did this behaviour change with 4.12.0? I can't really find anything here mentioned in the Changelog... Can this be configured in the configuration somehow? All my ingresses with auth redirects (same setup as described) stopped working unexpectedly

Edit: The auth-signing regex changed and my annotation now contains invalid values - different problem on my side.

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.