Add API route config

[segfault16]

Description

In addition to requests with Accept header application/json return 401 instead of 302 to login page on requests matching API paths regex.

Motivation and Context

Several APIs like grpcweb or graphql don't use application/json. See #551

How Has This Been Tested?

Extended unit tests

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[JoelSpeed]

This looks great, couple of nits but otherwise LGTM, thanks for putting this together

[JoelSpeed]

Do we need this line?

[JoelSpeed]

Can you move this up to the top of the function, I don't think we need to have it down here right?

[JoelSpeed]

LGTM thanks

[JoelSpeed]

Please resolve the linter issues

Linting has failed

[beezerk23]

Hey, is there a plan on when to release this in some patch version? Im using the docker image and not sure how to use the master branch directly. Any help is highly appreciated

[JoelSpeed]

Release should come soon, need to find the time to get the release together

[johnswarbrick-napier]

Hi @segfault16, please could you confirm what the format of the --api-route configuration option is?

I have a number of paths that I want to return a 401 Unauthorized if a bearer token is not present instead of issuing a 302 redirect to the OIDC provider.

I'm applying the following in my yaml:

spec:
  containers:
    - args:
      - --api-route="^(/api|admin/_api)"

And the parameters are confirmed in the logs:

[2022/11/09 20:37:46] [oauthproxy.go:496] API route - Path: ^(/api|admin/_api)

But when I try with a curl I'm still getting the 302 redirect instead of a 401:

curl -i https://<domain>/admin/_api

HTTP/1.1 302 Moved Temporarily
Date: Wed, 09 Nov 2022 20:40:28 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: https://<domain>/oauth2/start?rd=%2Fadmin%2F_api

I've tried various variations on the structure of the path_regex but it doesn't seem to want to match.

[segfault16]

@johnswarbrick-napier Your regex doesn't match. You probably mean this: ^(/api|/admin/_api)
Notice the leading /.

[johnswarbrick-napier]

Sorry, that was a typo in my comment.

spec:
  containers:
    - args:
      - --api-route="^(/api|/admin/_api)"

[2022/11/10 13:14:17] [oauthproxy.go:496] API route - Path: ^(/api|/admin/_api)

curl -i https://<domain>/admin/_api

HTTP/1.1 302 Moved Temporarily
Date: Thu, 10 Nov 2022 13:15:53 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: https://<domain>/oauth2/start?rd=%2Fadmin%2F_api

I tried simplifying it with a single path and these variants but still get the 302 redirection:

[2022/11/10 13:17:35] [oauthproxy.go:496] API route - Path: ^/admin/_api

[2022/11/10 13:19:31] [oauthproxy.go:496] API route - Path: .*/admin/_api

[2022/11/10 13:24:32] [oauthproxy.go:496] API route - Path: /admin/_api

[johnswarbrick-napier]

Hi @segfault16. Any thoughts on why even a simple path in --api-route doesn't seem to result in a change from 301 Redirect to 401 Unauthorized? I put some examples in my previous comment.

I assume the path regex isn't matching but I cannot figure out why.