feat: add allowed_* constraint option to proxy endpoint query string

[jacobalberty]

Description

This change allows specifying users/groups who are allowed to access a site in the query string of the / endpoint

Motivation and Context

Traefik configuration with oauth2-proxy has a lot of tradeoffs. The 401 middlewares setup results in no automatic redirection if you turn off display button (#334), it also has issues with redirecting to the correct subpath after login (#1297)

These issues can be overcome with the static upstreams configuration. but then we lose out on support for allowed_groups in a query string (#1870)

How Has This Been Tested?

Locally tested this in my own docker setup

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.
• I have written tests for my code changes.

[tuunit]

Hi @jacobalberty,

thanks for the PR. Overall great idea. Just minor remarks and I would love to see some additional documentation added for this change.

[jacobalberty]

@tuunit I just added documentation to the endpoints document. But was unsure if that was the right place for it. Is there a better place for this documentation to live?

[cdanis]

Hi, can I ask what work is still needed here? I'd very much like this feature and would happy to assist with dev hands if needed.

[jacobalberty]

Is there anything else that would be needed for this? I could refactor it to a dedicated endpoint for this if there's a hyrum's law concern here

[jacobalberty]

@tuunit Is there anything else left to do on this pr? It's been a few months now I'd love to be able to stop maintaining a fork of oauth2-proxy for my needs

[jacobalberty]

Is there a viable alternative to this yet? It seems this PR has been rejected but there doesn't seem to be any alternative to use oauth2-proxy under traefik with this functionality

[jacobalberty]

Moving to a different solution, won't be maintaining this pr anymore

[Bigouden]

Moving to a different solution, won't be maintaining this pr anymore

Hello, I have exactly the same issue. What alternative solution did you use?

[cdanis]

Hello, I have exactly the same issue. What alternative solution did you use?

not OP but there are a few different oauth2 middleware plugins for Traefik, I use sevensolutions/traefik-oidc-auth myself

[jacobalberty]

Hello, I have exactly the same issue. What alternative solution did you use?

I've got a custom bespoke idp proxy that gives me the experience I'm looking for. It's not something suitable for release at this time, maybe in the future I'll clean up some of the code and publish it, but it doesn't function anything like oauth2-proxy and requires a bunch of extra infra

[Bigouden]

I ended up coding a Traefik plugin that allows me to accept or deny access based on the value of a header. This plugin is chained with oauth2-proxy, which for example returns the user’s group in a header that I then check in this plugin.

https://plugins.traefik.io/plugins/68405f93b2caaa3ee768b101/header-guard

[jacobalberty]

@Bigouden I like it, clever and clean

[tuunit]

@jacobalberty and the rest I'm sorry that I lost track of the PR.

To be honest I just lost track of it over and over again. As we are only working on the project voluntarily and don't have any allotted time from our employers it is hard to keep things on track. With OAuth2 Proxy joining the CNCF, we try to get an initiative started to get the project more streamlined and more people on board to triage and review issues and PRs.

For now this PR is finally merged.