Reducing /%2F/ to / when creating redirect link #7172
Description
Describe the bug
Is Authentik maybe reducing /%2F/ to / (// to / also) when creating redirect link? RabbitMQ is not opening queues in UI. Or should we consider this Istio/Envoy issue?
To Reproduce
We use Istio:
meshConfig:
extensionProviders:
- name: "authentik"
envoyExtAuthzHttp:
service: "authentik.authentik.svc.cluster.local"
port: "80"
pathPrefix: "/outpost.goauthentik.io/auth/envoy"
headersToDownstreamOnAllow:
- cookie
headersToUpstreamOnAllow:
- set-cookie
- x-authentik-*
includeRequestHeadersInCheck:
- cookieIn general authentication works well, but for RabbitMQ UI that has those kind of URLs, things break:
https://site.com/api/queues/%2F/query-queue?lengths_age=60&lengths_incr=5&msg_rates_age=60&msg_rates_incr=5&data_rates_age=60&data_rates_incr=5
/%2F/ is ///.
Redirect is created as (note the lost ///):
Location: /outpost.goauthentik.io/auth/envoy/api/queues/query-queue?lengths_age=60&lengths_incr=5&msg_rates_age=60&msg_rates_incr=5&data_rates_age=60&data_rates_incr=5
Authentic server gets:
{"event":"/outpost.goauthentik.io/auth/envoy/outpost.goauthentik.io/auth/envoy/api/queues/query-queue?lengths_age=60&lengths_incr=5&msg_rates_age=60&msg_rates_incr=5&data_rates_age=60&data_rates_incr=5","host":"site.com","level":"info","logger":"authentik.outpost.proxyv2.application","method":"GET","name":"demo-proxy","remote":"...","runtime":"2.500","scheme":"http","size":0,"status":0,"timestamp":"2023-10-14T20:21:42Z","user":"...","user_agent":""}Tried:
meshConfig:
pathNormalization:
normalization: NONEExpected behavior
During authentication no URL is changed. More slashes one after the other in URL do not break authentication.
Works well:
https://site.com/api/nodes/rabbit%40rabbitmq-0.rabbitmq-headless.rabbitmq.svc.cluster.local?node_stats_age=60&node_stats_incr=5
Version and Deployment (please complete the following information):
- authentik version:
image: ghcr.io/goauthentik/server:2023.8.3 - Deployment: Helm