[Feature Request] Return the external auth service response body when 401, 403 or other error occurs

[liukun2634]

Description

Currently, ingress-nginx does not return the response body from the auth service when a 401, 403 or other error occurs. This feature request suggests adding a flag to enable this functionality. By returning the response body, users can have a better understanding of why their request was denied and what steps they can take to resolve the issue.
 
Why we really need this feature
 
We are using external auth serive with the keepalive feature enabled:

# ingress-nginx version 1.9.6
nginx.ingress.kubernetes.io/auth-url: "http://authenticationservice.com"
nginx.ingress.kubernetes.io/auth-keepalive: "500"
nginx.ingress.kubernetes.io/auth-keepalive-requests: "10000"
nginx.ingress.kubernetes.io/auth-keepalive-timeout: "100"
nginx.ingress.kubernetes.io/auth-method: POST
nginx.ingress.kubernetes.io/auth-response-headers: Authorization

 
To return the auth service response body, we have attempted several workarounds, such as:

• Setting the response body in the response header
• Returning the body in access_by_lua_block

However, none of these workarounds are effective for the keepalive case, as the keepalive has its own implementation and already using access_by_lua_block in nginx template file. Those workaround would result in lua block duplicate definition errors.

# `auth_request` module does not support HTTP keepalives in upstream block:
# https://trac.nginx.org/nginx/ticket/1579
access_by_lua_block {
    local res = ngx.location.capture(..) 
    ...
    end
    if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
        ngx.exit(res.status)
    end
    ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
}

Therefore, we can only make changes for the access_by_lua_block in nginx template file to return the response body. This is why we are requesting this feature.

Implementation

Introduce a new flag (e.g., auth-return-response-body or auth-keepalive-return-response-body for keepalive specific) in the ingress-nginx annotation. When this flag is enabled, ingress-nginx will return the response body from the external authentication service in the response to the client when a 401, 403 or others error occurs.

For the keepalive scenario, maybe we add ngx.say(res.body) before nginx.exit(res.status) in nginx template file.
 
For the non-keepalive scenario, other workarounds can be used, such as adding the access_by_lua_block when the flag is enabled, or using the same authentication method as the keepalive does.
 
Additional Context
 
This feature could significantly useful for our scenario. If you think this feature is a appropriate request, I'm also willing to contribute to its implementation.
 
If you think this is an invalid requirement, I would appreciate any alternative solutions you might suggest to return the response body for keepalive case.

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.