[Feature Request] Return the external auth service response body when 401, 403 or other error occurs #12211
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
needs-priority
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
Description
Currently, ingress-nginx does not return the response body from the auth service when a 401, 403 or other error occurs. This feature request suggests adding a flag to enable this functionality. By returning the response body, users can have a better understanding of why their request was denied and what steps they can take to resolve the issue.
Why we really need this feature
We are using external auth serive with the keepalive feature enabled:
To return the auth service response body, we have attempted several workarounds, such as:
However, none of these workarounds are effective for the keepalive case, as the keepalive has its own implementation and already using access_by_lua_block in nginx template file. Those workaround would result in lua block duplicate definition errors.
Therefore, we can only make changes for the access_by_lua_block in nginx template file to return the response body. This is why we are requesting this feature.
Implementation
Introduce a new flag (e.g., auth-return-response-body or auth-keepalive-return-response-body for keepalive specific) in the ingress-nginx annotation. When this flag is enabled, ingress-nginx will return the response body from the external authentication service in the response to the client when a 401, 403 or others error occurs.
For the keepalive scenario, maybe we add
ngx.say(res.body)
beforenginx.exit(res.status)
in nginx template file.For the non-keepalive scenario, other workarounds can be used, such as adding the access_by_lua_block when the flag is enabled, or using the same authentication method as the keepalive does.
Additional Context
This feature could significantly useful for our scenario. If you think this feature is a appropriate request, I'm also willing to contribute to its implementation.
If you think this is an invalid requirement, I would appreciate any alternative solutions you might suggest to return the response body for keepalive case.
The text was updated successfully, but these errors were encountered: