mirror of
https://github.com/holos-run/holos.git
synced 2026-03-20 17:25:01 +00:00
2db7be671b
This patch configures the service mesh to route all requests with a uri path prefix of `/holos/oidc` to the auth proxy associated with the project stage. Consider a request to https://jeff.holos.dev.k2.ois.run/holos/oidc/sign_in This request is usually routed to the backend app, but VirtualService/authproxy in the dev-holos-system namespace matches the request and routes it to the auth proxy instead. The auth proxy matches the request Host: header against the whitelist and cookiedomain setting, which matches the suffix `.holos.dev.k2.ois.run`. The auth proxy redirects to the oidc issuer with a callback url of the request Host for a url of `https://jeff.holos.dev.k2.ois.run/holos/oidc/callback`. ZITADEL matches the callback against those registered with the app and the app client id. A code is then sent back to the auth proxy. The auth proxy sets a cookie named `__Secure-authproxy-dev-holos` with a domain of `.holos.dev.k2.ois.run` from the suffix match of the `--cookiedomain` flag. Because this all works using paths, the `auth` prefix domains have been removed. They're unnecessary, oauth2-proxy is available for any host routed to the project stage at path prefix `/holos/oidc`. Refer to https://oauth2-proxy.github.io/oauth2-proxy/features/endpoints/ for good endpoints for debuggin, replacing `/oauth2` with `/holos/oidc`