server: fix incorrect headers passed by oauth2-proxy#9468
Conversation
There was a problem hiding this comment.
Code Review
This pull request implements the filtering of hop-by-hop headers in the OAuth2 proxy middleware to ensure proper protocol compliance when forwarding responses. The changes include defining a set of standard hop-by-hop headers and excluding them from the response headers sent to the client. Feedback was provided to use a frozenset for the header collection to ensure immutability as a module-level constant.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
|
@cblmemo what do you think? |
|
We hit exactly this in a Helm deployment (chart 0.12.0, also reproduced on 0.12.3.post1) using native OIDC ( We confirmed this fix resolves it: pinning Since |
SkyPilot API server passes replies from oauth2-proxy with all its headers, which may lead to confusing situations, such as having both
Content-LentgthandTransfer-Encodingheaders in the same reply, which lead to protocol errors in a reverse proxy.It's considered a good practice to ignore hop-by-hop headers in such cases.
Tested (run the relevant ones):
bash format.sh/smoke-test(CI) orpytest tests/test_smoke.py(local)/smoke-test -k test_name(CI) orpytest tests/test_smoke.py::test_name(local)/quicktest-core(CI) orpytest tests/smoke_tests/test_backward_compat.py(local)