Authproxy Connector: Enable handling of errors by redirection #4364
Description
I am currently using the authproxy connector in Dex with the following configuration to integrate with a YunoHost Single Sign-On (SSO) setup:
- type: authproxy
id: ssowhat
name: YunoHost SSO
config:
userHeader: YNH_USER_FULLNAME
emailHeader: YNH_USER_EMAIL
userNameHeader: YNH_USERThis setup works correctly when a user is already authenticated via the YunoHost reverse proxy, as the required headers are present.
However, when a user attempts to access the Dex login page directly without first being logged in via YunoHost (i.e., the headers are missing), the authentication fails, and the user is presented with a "Internal Server Error" and the message:
This is because the code responsible doesn't have any fallback options when headers are missing, always leading to an error.
dex/connector/authproxy/authproxy.go
Lines 101 to 103 in d768071
To handle this unauthenticated scenario gracefully, I propose adding an optional configuration field to the authproxy connector that specifies a redirection URL for when the required headers are missing.
When a request for authentication via the authproxy connector fails specifically because one or more of the configured user/email/username headers are not present, Dex should:
- Halt the authentication attempt.
- Redirect the user to the configured URL (e.g., a central login page or the YunoHost SSO gate).
This would allow users who bypass the SSO proxy to be sent to the correct location to log in, rather than receiving a cryptic internal server error.
This feature would significantly improve the user experience and the overall robustness of the authproxy connector when used in conjunction with external authentication proxies that handle the initial login flow.