AuthHost setting not being used

[nakermann1973]

I am trying to understand why my config which sets auth-host is not actually using my auth-host. On startup, my docker container logs the following (my domains obfuscated):

time="2023-06-29T18:10:50Z" level=debug msg="Starting with config
{
   "LogLevel":"debug",
   "LogFormat":"text",
   "AuthHost":"auth.my.first.domain",
   "CookieDomains":[
      {
         "Domain":"my.second.domain",
         "DomainLen":15,
         "SubDomain":".my.second.domain",
         "SubDomainLen":16
      },
      {
         "Domain":"my.first.domain",
         "DomainLen":13,
         "SubDomain":".my.first.domain",
         "SubDomainLen":14
      }
   ],
   "InsecureCookie":true,
   "CookieName":"_forward_auth",
   "CSRFCookieName":"_forward_auth_csrf",
   "DefaultAction":"auth",
   "DefaultProvider":"google",
   "Domains":null,
   "LifetimeString":43200,
   "LogoutRedirect":"",
   "MatchWhitelistOrDomain":false,
   "Path":"/_oauth",
   "Whitelist":null,
   "Providers":{
      "Google":{
         "ClientID":"MY_CLIENT_ID",
         "Scope":"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
         "Prompt":"select_account",
         "LoginURL":{
            "Scheme":"https",
            "Opaque":"",
            "User":null,
            "Host":"accounts.google.com",
            "Path":"/o/oauth2/auth",
            "RawPath":"",
            "ForceQuery":false,
            "RawQuery":"",
            "Fragment":""
         },
         "TokenURL":{
            "Scheme":"https",
            "Opaque":"",
            "User":null,
            "Host":"www.googleapis.com",
            "Path":"/oauth2/v3/token",
            "RawPath":"",
            "ForceQuery":false,
            "RawQuery":"",
            "Fragment":""
         },
         "UserURL":{
            "Scheme":"https",
            "Opaque":"",
            "User":null,
            "Host":"www.googleapis.com",
            "Path":"/oauth2/v2/userinfo",
            "RawPath":"",
            "ForceQuery":false,
            "RawQuery":"",
            "Fragment":""
         }
      },
      "OIDC":{
         "IssuerURL":"",
         "ClientID":"",
         "Resource":"",
         "Config":null
      },
      "GenericOAuth":{
         "AuthURL":"",
         "TokenURL":"",
         "UserURL":"",
         "ClientID":"",
         "Scopes":[
            "profile",
            "email"
         ],
         "TokenStyle":"header",
         "Resource":"",
         "Config":null
      }
   },
   "Rules":{
      
   },
   "Lifetime":43200000000000,
   "CookieDomainsLegacy":null,
   "CookieSecureLegacy":"",
   "ClientIdLegacy":"",
   "PromptLegacy":""
}

All my sites mentioned below are successfully accessible using tls.

I have two sites:

• whoami.my.second.domain successfully prompts for google authentication, and after logging in, X-Forwarded-User is set correctly.
• whoami2.my.second.domain loads a google authentication error "Access blocked: This app’s request is invalid. Error 400: redirect_uri_mismatch.

https://whoami.my.second.domain/_oauth and https://auth.my.first.domain/_oauth are listed in "Authorised redirect URIs" in my oauth2 client id, but https://whoami2.my.second.domain/_oauth is not.

When I run curl -i https://whoami.my.second.domain, the redirect location URI contains redirect_uri=https%3A%2F%2Fwhoami.my.second.domain%2F_oauth

When I run curl -i https://whoami2.my.second.domain, the redirect location URI contains redirect_uri=https%3A%2F%2Fwhoami2.my.second.domain%2F_oauth

I understand why https://whoami.my.second.domain is successful, since it is listed as an authorised redirect URI and whoami2 is not. What I don't understand is why it is not using auth.my.first.domain in the redirect URI , and using my configured auth-host

[nakermann1973]

Taking a quick look at the code, I think the problem is coming from

traefik-forward-auth/internal/auth.go

Line 159 in c4317b7

return reqMatch && authMatch && reqHost == authHost, reqHost

. My config.AuthHost is in one domain (auth.my.first.domain), and my request is to the second domain (whoami2.my.second.domain). Both of these are in my cookiedomains, but the code checks if authHost and reqHost match, which they don't.

If I change L159 to return reqMatch && authMatch, reqHost, then I correctly get redirected to a location containing redirect_uri=https%3A%2F%2Fauth.my.first.domain%2F_oauth, but then I get a 'Not authorized' error in my browser which I have not yet looked into.