external-auth annotation: Is it okay to have a username and password in the url?

8/13/2019

Is ingress-nginx's external-auth secure when using an external service like httpbin? The example connects to https://httpbin.org/basic-auth/user/passwd with the user and password inside of the URL.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://httpbin.org/basic-auth/user/passwd

It seems to work fine when I try it myself. (read: when inspecting with curl, I cannot see this url) but maybe I'm missing something.

Is this secure for a production environment?

Reference: https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/

-- Nick
kubernetes
nginx-ingress

1 Answer

8/13/2019

General.
It is never ok to put username and password in GET URL in any environment. It should be post and that to encrypted.

To your problem.
Basic auth is just as FYI.. Use oauth which is pretty common.

https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/

-- yogesh kunjir
Source: StackOverflow