Rename redirect query parameter into rd for compatibility with nginx-ingress

example/compose/nginx/backend/html/home/index.html

@@ -56,7 +56,7 @@
     </li>
   </ul>
 
-  You can also log off by visiting the following <a href="https://login.example.com:8080/logout?redirect=https://home.example.com:8080/">link</a>.
+  You can also log off by visiting the following <a href="https://login.example.com:8080/logout?rd=https://home.example.com:8080/">link</a>.
 
   <h1>List of users</h1>
   Here is the list of credentials you can log in with to test access control.<br/>

example/compose/nginx/portal/nginx.conf

@@ -96,7 +96,7 @@ http {
 
             proxy_set_header Host $http_host;
 
-            error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
+            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
             error_page 403 = https://login.example.com:8080/error/403;
 
             proxy_pass        $upstream_endpoint;
@@ -113,7 +113,7 @@ http {
             auth_request_set $groups $upstream_http_remote_groups;
             proxy_set_header Custom-Forwarded-Groups $groups;
 
-            error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
+            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
             error_page 403 = https://login.example.com:8080/error/403;
 
             proxy_pass        $upstream_headers;
@@ -159,7 +159,7 @@ http {
 
             proxy_set_header Host $http_host;
 
-            error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
+            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
             error_page 403 = https://login.example.com:8080/error/403;
 
             proxy_pass        $upstream_endpoint;
@@ -205,7 +205,7 @@ http {
 
             proxy_set_header Host $http_host;
 
-            error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
+            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
             error_page 403 = https://login.example.com:8080/error/403;
 
             proxy_pass        $upstream_endpoint;
@@ -251,7 +251,7 @@ http {
 
             proxy_set_header Host $http_host;
 
-            error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
+            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
             error_page 403 = https://login.example.com:8080/error/403;
 
             proxy_pass        $upstream_endpoint;
@@ -299,7 +299,7 @@ http {
 
             proxy_set_header Host $http_host;
 
-            error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
+            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
             error_page 403 = https://login.example.com:8080/error/403;
 
             proxy_pass        $upstream_endpoint;
@@ -316,7 +316,7 @@ http {
             auth_request_set $groups $upstream_http_remote_groups;
             proxy_set_header Custom-Forwarded-Groups $groups;
 
-            error_page 401 =302 https://login.example.com:8080?redirect=$redirect;
+            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
             error_page 403 = https://login.example.com:8080/error/403;
 
             proxy_pass        $upstream_headers;

example/kube/apps/app-home/index.html

@@ -29,7 +29,7 @@
       </ul>
     </p>
     <p>
-      You can always log off by clicking <a href="https://login.kube.example.com/logout?redirect=http://home.kube.example.com">here</a>
+      You can always log off by clicking <a href="https://login.kube.example.com/logout?rd=http://home.kube.example.com">here</a>
     </p>
   </body>
 </html>

example/kube/apps/secure-ingress.yml

@@ -7,7 +7,7 @@ metadata:
   annotations:
     kubernetes.io/ingress.class: "nginx"
     nginx.ingress.kubernetes.io/auth-url: "http://authelia-service.authelia.svc.cluster.local/api/verify"
-    nginx.ingress.kubernetes.io/auth-signin: "https://login.kube.example.com?redirect=$redirect"
+    nginx.ingress.kubernetes.io/auth-signin: "https://login.kube.example.com"
 spec:
   tls:
   - secretName: app2-tls

example/kube/ingress-controller/deployment.yml

@@ -20,16 +20,16 @@ spec:
     spec:
       terminationGracePeriodSeconds: 60
       containers:
-      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.9.0-beta.19
+      - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.13.0
         name: nginx-ingress-controller-external
         imagePullPolicy: Always
         ports:
         - containerPort: 80
         - containerPort: 443
-        volumeMounts:
-          - mountPath: /etc/nginx/template
-            name: nginx-template-volume
-            readOnly: true
+        # volumeMounts:
+        #   - mountPath: /etc/nginx/template
+        #     name: nginx-template-volume
+        #     readOnly: true
         env:
         - name: POD_NAME
           valueFrom:
@@ -44,7 +44,7 @@ spec:
         - --ingress-class=nginx
         - --election-id=ingress-controller-leader-external
         - --default-backend-service=$(POD_NAMESPACE)/default-http-backend
-        - --configmap=$(POD_NAMESPACE)/authelia-ingress-controller-config
+        # - --configmap=$(POD_NAMESPACE)/authelia-ingress-controller-config
       volumes:
         - name: nginx-template-volume
           configMap:

server/src/lib/routes/firstfactor/get.ts

@@ -20,7 +20,8 @@ function redirectToSecondFactorPage(req: express.Request, res: express.Response)
   if (!redirectUrl)
     res.redirect(Endpoints.SECOND_FACTOR_GET);
   else
-    res.redirect(Util.format("%s?redirect=%s", Endpoints.SECOND_FACTOR_GET,
+    res.redirect(Util.format("%s?%s=%s", Endpoints.SECOND_FACTOR_GET,
+      Constants.REDIRECT_QUERY_PARAM,
       encodeURIComponent(redirectUrl)));
 }
 

shared/constants.ts

@@ -1 +1 @@
-export const REDIRECT_QUERY_PARAM = "redirect";
+export const REDIRECT_QUERY_PARAM = "rd";

test/features/access-control.feature

@@ -2,7 +2,7 @@ Feature: User has access restricted access to domains
 
   @need-registered-user-john
   Scenario: User john has admin access
-    When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
+    When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F"
     And I login with user "john" and password "password"
     And I use "REGISTERED" as TOTP token handle
     And I click on "Sign in"
@@ -20,7 +20,7 @@ Feature: User has access restricted access to domains
 
   @need-registered-user-bob
   Scenario: User bob has restricted access
-    When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
+    When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F"
     And I login with user "bob" and password "password"
     And I use "REGISTERED" as TOTP token handle
     And I click on "Sign in"
@@ -38,7 +38,7 @@ Feature: User has access restricted access to domains
 
   @need-registered-user-harry
   Scenario: User harry has restricted access
-    When I visit "https://login.example.com:8080?redirect=https%3A%2F%2Fhome.example.com%3A8080%2F"
+    When I visit "https://login.example.com:8080?rd=https%3A%2F%2Fhome.example.com%3A8080%2F"
     And I login with user "harry" and password "password"
     And I use "REGISTERED" as TOTP token handle
     And I click on "Sign in"

test/features/auth-portal-redirection.feature

@@ -3,16 +3,16 @@ Feature: User is redirected when factors are already validated
   @need-registered-user-john
   Scenario: User has validated first factor and tries to access service protected by second factor. He is then redirect to second factor step.
     When I visit "https://single_factor.example.com:8080/secret.html"
-    And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html"
+    And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html"
     And I login with user "john" and password "password"
     And I'm redirected to "https://single_factor.example.com:8080/secret.html"
     And I visit "https://public.example.com:8080/secret.html"
-    Then I'm redirected to "https://login.example.com:8080/secondfactor?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
+    Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
 
   @need-registered-user-john
   Scenario: User who has validated second factor and access auth portal should be redirected to "Already logged in page" and redirected to default URL declared in configuration
     When I visit "https://public.example.com:8080/secret.html"
-    And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
+    And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
     And I login with user "john" and password "password"
     And I use "REGISTERED" as TOTP token handle
     And I click on "Sign in"
@@ -25,10 +25,10 @@ Feature: User is redirected when factors are already validated
   @need-registered-user-john
   Scenario: User who has validated second factor and access auth portal with rediction param should be redirected to that URL
     When I visit "https://public.example.com:8080/secret.html"
-    And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
+    And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
     And I login with user "john" and password "password"
     And I use "REGISTERED" as TOTP token handle
     And I click on "Sign in"
     And I'm redirected to "https://public.example.com:8080/secret.html"
-    And I visit "https://login.example.com:8080?redirect=https://public.example.com:8080/secret.html"
+    And I visit "https://login.example.com:8080?rd=https://public.example.com:8080/secret.html"
     Then I'm redirected to "https://public.example.com:8080/secret.html"

test/features/authelia.feature

@@ -5,5 +5,5 @@ Feature: Generic tests on Authelia endpoints
     Then I get error code 401
 
   Scenario: /api/verify redirects when redirect parameter is provided
-    When I query "https://authelia.example.com:8080/api/verify?redirect=http://login.example.com:8080"
+    When I query "https://authelia.example.com:8080/api/verify?rd=http://login.example.com:8080"
     Then I get redirected to "http://login.example.com:8080"

test/features/authentication.feature

@@ -19,7 +19,7 @@ Feature: Authentication scenarii
     And I login with user "john" and password "password"
     And I register a TOTP secret called "Sec0"
     When I visit "https://admin.example.com:8080/secret.html"
-    And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
+    And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
     And I login with user "john" and password "password" 
     And I use "Sec0" as TOTP token handle
     And I click on "Sign in"
@@ -27,12 +27,12 @@ Feature: Authentication scenarii
 
   Scenario: User fails TOTP second factor
     When I visit "https://admin.example.com:8080/secret.html"
-    And I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
+    And I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
     And I login with user "john" and password "password"
     And I use "BADTOKEN" as TOTP token
     And I click on "Sign in"
     Then I get a notification of type "error" with message "Authentication failed. Have you already registered your secret?"
 
   Scenario: Logout redirects user to redirect URL given in parameter
-    When I visit "https://login.example.com:8080/logout?redirect=https://home.example.com:8080/"
+    When I visit "https://login.example.com:8080/logout?rd=https://home.example.com:8080/"
     Then I'm redirected to "https://home.example.com:8080/"

test/features/redirection.feature

@@ -2,7 +2,7 @@ Feature: User is correctly redirected
 
   Scenario: User is redirected to authelia when he is not authenticated
     When I visit "https://public.example.com:8080"
-    Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2F"
+    Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2F"
 
   @need-registered-user-john
   Scenario: User is redirected to home page after several authentication tries
@@ -22,7 +22,7 @@ Feature: User is correctly redirected
 
   Scenario: Redirection URL is propagated from restricted page to first factor
     When I visit "https://public.example.com:8080/secret.html"
-    Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
+    Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
 
   Scenario: Redirection URL is propagated from first factor to second factor
     Given I visit "https://login.example.com:8080/"
@@ -30,7 +30,7 @@ Feature: User is correctly redirected
     And I register a TOTP secret called "Sec0"
     When I visit "https://public.example.com:8080/secret.html"
     And I login with user "john" and password "password"
-    Then I'm redirected to "https://login.example.com:8080/secondfactor?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
+    Then I'm redirected to "https://login.example.com:8080/secondfactor?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
 
   Scenario: Redirection URL is used to send user from second factor to target page
     Given I visit "https://login.example.com:8080/"

test/features/regulation.feature

@@ -20,7 +20,7 @@ Feature: Authelia regulates authentication to avoid brute force
 
   @need-registered-user-blackhat
   Scenario: User is unbanned after a configured amount of time
-    Given I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
+    Given I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
     And I set field "username" to "blackhat"
     And I set field "password" to "bad-password"
     And I click on "Sign in"

test/features/resilience.feature

@@ -8,7 +8,7 @@ Feature: Authelia keeps user sessions despite the application restart
   @need-registered-user-john
   Scenario: Secrets are stored even when Authelia restarts
     When the application restarts
-    And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
+    And I visit "https://admin.example.com:8080/secret.html" and get redirected "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
     And I login with user "john" and password "password" 
     And I use "REGISTERED" as TOTP token handle
     And I click on "Sign in"

test/features/session-timeout.feature

@@ -6,7 +6,7 @@ Feature: Session is closed after a certain amount of time
     Given I have access to "https://public.example.com:8080/secret.html"
     When I sleep for 6 seconds
     And I visit "https://public.example.com:8080/secret.html"
-    Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
+    Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
 
   @need-authenticated-user-john
   Scenario: An authenticated user is disconnected after session expiration period
@@ -17,4 +17,4 @@ Feature: Session is closed after a certain amount of time
     And I visit "https://public.example.com:8080/secret.html"
     And I sleep for 4 seconds
     And I visit "https://public.example.com:8080/secret.html"
-    Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
+    Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"

test/features/single-factor-domain.feature

@@ -1,14 +1,14 @@
 Feature: User can access certain subdomains with single factor
 
   Scenario: User is redirected to service after first factor if allowed
-    When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html"
+    When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fsingle_factor.example.com%3A8080%2Fsecret.html"
     And I login with user "john" and password "password"
     Then I'm redirected to "https://single_factor.example.com:8080/secret.html"
 
   Scenario: Redirection after first factor fails if single_factor not allowed. It redirects user to first factor.
-    When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
+    When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
     And I login with user "john" and password "password"
-    Then I'm redirected to "https://login.example.com:8080/?redirect=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
+    Then I'm redirected to "https://login.example.com:8080/?rd=https%3A%2F%2Fadmin.example.com%3A8080%2Fsecret.html"
 
   Scenario: User can login using basic authentication
     When I request "https://single_factor.example.com:8080/secret.html" with username "john" and password "password" using basic authentication

test/features/single-factor-only-server.feature

@@ -3,7 +3,7 @@ Feature: Server is configured as a single factor only server
 
   @need-registered-user-john
   Scenario: User is redirected to service after first factor if allowed
-    When I visit "https://login.example.com:8080/?redirect=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
+    When I visit "https://login.example.com:8080/?rd=https%3A%2F%2Fpublic.example.com%3A8080%2Fsecret.html"
     And I login with user "john" and password "password"
     Then I'm redirected to "https://public.example.com:8080/secret.html"