external-auth annotation: Is it okay to have a username and password in the url?

Question

Is ingress-nginx's external-auth secure when using an external service like httpbin? The example connects to https://httpbin.org/basic-auth/user/passwd with the user and password inside of the URL.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/auth-url: https://httpbin.org/basic-auth/user/passwd

It seems to work fine when I try it myself. (read: when inspecting with curl, I cannot see this url) but maybe I'm missing something.

Is this secure for a production environment?

Reference: https://kubernetes.github.io/ingress-nginx/examples/auth/external-auth/

yogesh kunjir yogesh kunjir · Accepted Answer · 2019-08-13T04:24:10

General.
It is never ok to put username and password in GET URL in any environment. It should be post and that to encrypted.

To your problem.
Basic auth is just as FYI.. Use oauth which is pretty common.

https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/

external-auth annotation: Is it okay to have a username and password in the url?

1 Answers