Skip to content

Generalize proxy external auth #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
SystemsPurge wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Generalize proxy external auth #3

SystemsPurge wants to merge 3 commits into from

Conversation

@SystemsPurge
Copy link

@SystemsPurge SystemsPurge commented Oct 14, 2025

Replaced the seperate flow urls (login,validate...etc) with a single issuer url that defines which flows the IDP supports, making the possible authentication methods supported by the proxy more flexible and IDP dependent.
Added code_challenge_method (PKCE) environment, in case the IDP cannot explicitely provide a secret.
Kept the client_secret env, in case the IDP is able to explicitely add villas as a client.
Changed ingress proxy annotations to account for headers possibly being too big with some auth flows.
If wou want to test, use a keycloak instance ( as an example ), with KC_PROXY=edge and KC_PROXY_HEADERS=xforwarded
Both the public and confidential client configurations should work properly.

This was referenced Oct 14, 2025
Closed
Closed
stv0g
stv0g reviewed Oct 16, 2025
View reviewed changes
charts/villas/templates/ingress.yaml
{{- end }}
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 1024m
Copy link
Contributor

@stv0g stv0g Oct 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this was necessary to upload larger files, e.g. CSV results which are pushed to VILLASweb.

@stv0g
Copy link
Contributor

stv0g commented Oct 16, 2025

I dont have the time for testing this unfortunately. But I think we can go ahead and merge it.

Could you maybe check if a configuration without IDP still works?

@SystemsPurge
Copy link
Author

SystemsPurge commented Oct 27, 2025

@stv0g What do you mean exactly without IDP? Wihtout external auth?

Ubuntu added 3 commits October 27, 2025 09:18
@SystemsPurge
fix: replace deprecated bitnami charts, set equivalent debian postgre…
14c4dd0 
…s image

Signed-off-by: SystemsPurge <naktiyoussef@proton.me>
@SystemsPurge
fix: generalize oauth proxy login, fix incorrect secret names
847ed1b 
Signed-off-by: SystemsPurge <naktiyoussef@proton.me>
@SystemsPurge
put back proxy body size to ingress annotations
87cd4bf 
Signed-off-by: SystemsPurge <naktiyoussef@proton.me>
@stv0g
Copy link
Contributor

stv0g commented Nov 5, 2025

Yes exactly, just normal auth via VILLASwebs database.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stv0g stv0g stv0g left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SystemsPurge @stv0g