-
Notifications
You must be signed in to change notification settings - Fork 346
Authorization header is passed to upstream endpoint if it is passed on the client side though enable-authorization-header=false #663
Comments
if you use oauth on proxy, why need to use grafana oauth setting? Role-base model want to use in gafana? yesterday i setup grafana with louketo (with use custom port to grafana backend)
and grafana:
|
I think the focus should be on failed |
once again revised my config, I set my version - docker-compose 2.4, |
@vasilievs , I did debug the louketo code (Printed everything it passed to the upstream endpoint), It does pass the authorization header to grafana even if @jacky96623 I apologize but I don't understand your point. The basic problem is that Grafana REST API calls are failing if Grafana is configured in auth proxy mode with Louketo proxy in front of grafana and we pass |
@sandeepbangera First of all let me apologize for not expressing my opinion clear. Indeed I face the similar problem as you, the only difference is that I am not proxying for Grafana. And my steps to reproduce is just start a gatekeeper which proxies httpbin. The detailed configuration are as follow: docker run -p 3000:3000 \
quay.io/keycloak/keycloak-gatekeeper:10.0.0 \
--listen=:3000 \
--discovery-url=http://keycloak:8080/auth/realms/my-realm \
--client-id=my-client-id \
--client-secret=my-client-secret \
--upstream-url=https://httpbin.org \
--enable-authorization-header=false With the above configuration and a valid token, I can get my But if you think Grafana's auth proxy mode should handle this issue, maybe you should also raise it to Grafana? |
the key
keys set in docker-compose (i tried with all variants (one or some or all, only the token-header is removed correctly)):
|
Title
Authorization header is passed to upstream endpoint if it is passed on the client side e.g. using curl though enable-authorization-header flag is set to false. This causes issues for upstream endpoints like grafana which act on the authorization header if passed.
Summary
Tried accessing grafana API endpoint which is front ended by louketo proxy and API access FAILS because the proxy passes the Authorization header to the upstream grafana endpoint.
Environment
Expected Results
Expected the curl command to invoke the Grafana API to work.
Actual Results
Grafana API access fails with "Invalid API key"
Steps to reproduce
I was trying to use the gatekeeper proxy
quay.io/louketo/louketo-proxy:1.0.0
as a side car inside container to talk to Grafana. Grafana has been configured to run in Auth Proxy mode.Verified that the auth proxy configuration with vanilla grafana works fine.
The gatekeeper is now inserted as a side car inside the grafana container with the following args
The gatekeeper intercepts the call, does the authentication with the keycloak server and if the authentication is successful forwards the request to Grafana.
This works perfectly from the browser. But trying to call the grafana API from command line FAILS.
{"message":"Invalid API key"}
From the louketo proxy logs the authentication was successful and the proxy is passing the Authorization header to the upstream endpoint Grafana. Grafana rejects the request because it cannot recognize the authorization header passed. If you see my snippet above I do have --enable-authorization-header=false passed to the proxy.
Additional Information
Looking at the code we pass through all the headers we get from the original client i.e.
curl
in this case to the upstream endpoint.I was able to get the correct behavior by adding the below code to drop the authorization header here:
https://github.com/louketo/louketo-proxy/blob/master/middleware.go#L513
I will be happy to create a pull request to fix this.
The text was updated successfully, but these errors were encountered: