stuck on github setup

[hulbert]

I'm trying to set up proxying on Heroku using oauth2_proxy with Github in front.

I've tried a number of things but continue to just get redirected back to the sign in page. The cookie never seems to get set and the logging of the session after successful contact with Github seems odd compared to other examples I've seen.

The Heroku procfile runs this bin/oauth2_proxy-2.0.1.linux-amd64.go1.4.2/oauth2_proxy -http-address="0.0.0.0:$PORT" -config='oauth2_proxy.cfg'. The config file (after massaging numerous times, I've tried a variety of things) looks like this:

provider = "github"
github_org = "<redacted string>"
github_team = "*"
scope = "user:email,read:org"
email_domains = ["*"]
upstreams = ["http://127.0.0.1:8080/"]
pass_host_header = false
redirect_url = "https://APP.herokuapp.com/oauth2/callback"
cookie_name = "scott_cookie"
cookie_secure = false
cookie_httponly = false
request_logging = true

I set up a Github app as directed in the README on master, with the redirect URL matching before.

I've tried config files without the last 5 last lines from above, and also with the scope not set.

The are three environment variables set on the Heroku box:

OAUTH2_PROXY_CLIENT_ID
OAUTH2_PROXY_CLIENT_SECRET
OAUTH2_PROXY_COOKIE_SECRET

Here are logs of restarting the dyno and loading the main page. I've also tried revoking all user access tokens via Github.

2016-03-11T02:44:58.010137+00:00 heroku[web.1]: State changed from up to starting
2016-03-11T02:44:58.009489+00:00 heroku[web.1]: Restarting
2016-03-11T02:44:58.635172+00:00 heroku[web.1]: Starting process with command `bin/oauth2_proxy-2.0.1.linux-amd64.go1.4.2/oauth2_proxy -http-address="0.0.0.0:37429" -config='oauth2_proxy.cfg'`
2016-03-11T02:44:59.789145+00:00 app[web.1]: 2016/03/11 02:44:59 oauthproxy.go:90: mapping path "/" => upstream "http://127.0.0.1:8080/"
2016-03-11T02:44:59.789218+00:00 app[web.1]: 2016/03/11 02:44:59 oauthproxy.go:106: OauthProxy configured for GitHub Client ID: <REDACTED>
2016-03-11T02:44:59.789239+00:00 app[web.1]: 2016/03/11 02:44:59 oauthproxy.go:116: Cookie settings: name:scott_cookie secure(https):false httponly:false expiry:168h0m0s domain:<default> refresh:disabled
2016-03-11T02:44:59.789628+00:00 app[web.1]: 2016/03/11 02:44:59 http.go:45: HTTP: listening on 0.0.0.0:37429
2016-03-11T02:45:00.331916+00:00 heroku[web.1]: State changed from starting to up
2016-03-11T02:45:02.502895+00:00 heroku[web.1]: Stopping all processes with SIGTERM
2016-03-11T02:45:04.624421+00:00 heroku[web.1]: Process exited with status 2
2016-03-11T02:45:19.165681+00:00 heroku[router]: at=info method=GET path="/" host=APP.herokuapp.com request_id=66ef9711-c8cb-43b8-b92d-9e885642479c fwd="<scotts-ip>" dyno=web.1 connect=2ms service=3ms status=403 bytes=2523
2016-03-11T02:45:19.164866+00:00 app[web.1]: 2016/03/11 02:45:19 oauthproxy.go:455: 10.153.220.144:54290 Cookie "scott_cookie" not present
2016-03-11T02:45:19.165868+00:00 app[web.1]: 10.153.220.144 - - [11/Mar/2016:02:45:19 +0000] APP.herokuapp.com GET - "/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.12" 403 2244 0.001
2016-03-11T02:45:22.954286+00:00 heroku[router]: at=info method=GET path="/oauth2/start?rd=%2F" host=APP.herokuapp.com request_id=0552cc36-2b2f-4d7d-ac61-4e1984d561bc fwd="<scotts-ip>" dyno=web.1 connect=1ms service=2ms status=302 bytes=676
2016-03-11T02:45:22.954742+00:00 app[web.1]: 10.153.220.144 - - [11/Mar/2016:02:45:22 +0000] APP.herokuapp.com GET - "/oauth2/start?rd=%2F" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.12" 302 284 0.000
2016-03-11T02:45:24.157519+00:00 heroku[router]: at=info method=GET path="/oauth2/callback?code=064f923ecdd4801bb31f&state=%2F" host=APP.herokuapp.com request_id=8d52aca7-6675-49d2-9e3a-e25ab20cd4f3 fwd="<scotts-ip>" dyno=web.1 connect=2ms service=121ms status=302 bytes=286
2016-03-11T02:45:24.157749+00:00 app[web.1]: 2016/03/11 02:45:24 oauthproxy.go:435: 10.153.220.144:59510 authentication complete Session{ token:true}
2016-03-11T02:45:24.157824+00:00 app[web.1]: 10.153.220.144 - - [11/Mar/2016:02:45:24 +0000] APP.herokuapp.com GET - "/oauth2/callback?code=064f923ecdd4801bb31f&state=%2F" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.12" 302 24 0.120
2016-03-11T02:45:24.409132+00:00 heroku[router]: at=info method=GET path="/" host=APP.herokuapp.com request_id=5e65eda0-c702-4b10-ab27-36e34f76ce6a fwd="<scotts-ip>" dyno=web.1 connect=1ms service=2ms status=403 bytes=2523
2016-03-11T02:45:24.408874+00:00 app[web.1]: 2016/03/11 02:45:24 oauthproxy.go:455: 10.153.220.144:45667 Cookie Signature not valid
2016-03-11T02:45:24.409032+00:00 app[web.1]: 10.153.220.144 - - [11/Mar/2016:02:45:24 +0000] APP.herokuapp.com GET - "/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.12" 403 2244 0.000

The line that looks weird to me is authentication complete Session{ token:true}. Other posted issues I've seen have more info here, like email or organization. Thanks!

[hulbert]

Apologies for bumping but wondering if anyone has ideas on this? Or a replicable Github config for 2.0.1?

[gkuchta]

Try removing

scope = "user:email,read:org"

The scopes should be setup automatically.

https://github.com/bitly/oauth2_proxy/blob/v2.0.1/providers/github.go#L42 https://github.com/bitly/oauth2_proxy/blob/v2.0.1/providers/github.go#L50

Off the top of my head, I'm wondering if you aren't getting some weirdness in ParseQuery by having, essentially, p.Scope = "user:email,read:org read:org"

[hulbert]

@gkuchta thanks for the idea, I tried w/ that line removed from my config file but ended up with the same type of logging of authentication complete but then Cookie Signature not valid (same as before).

[mbrevoort]

I'm stuck on this same issue, getting "Cookie Signature not valid" with github provider after authentication complete Session{ token:true}.

Here's a snippet of my Kubernetes config with the start options:

        command: ["oauth2_proxy",
                  "--tls-cert=/etc/prometheus-proxy-cert/cert",
                  "--tls-key=/etc/prometheus-proxy-cert/key",
                  "--provider=github",
                  "--github-org=$(GITHUB_ORG)",
                  "--upstream=http://127.0.0.1:9090",
                  "--email-domain=*",
                  "--client-id=$(CLIENT_ID)",
                  "--client-secret=$(CLIENT_SECRET)",
                  "--cookie-expire=168h0m0s",
                  "--cookie-name=proxysession",
                  "--redirect-url=$(BASE_URL)/oauth2/callback",
                  "--cookie-secret=$(COOKIE_SECRET)",
                  "--cookie-secure=true",
                  "--cookie-httponly=false",
                  "--https-address=0.0.0.0:4443"]

@gkuchta Did you get past this?

[hollingsworthd]

Cookie Signature not valid

Experienced this too. Workaround for me was to configure the proxy with a custom cookie name. The only reason I suspect this works is because I had multiple oauth proxies on different subdomains sharing the same cookie name, and I customized them all to use unique names respectively. Just a guess.

[mohamedhaleem]

@mbrevoort - were you able to resolve the issue. Could you post the working config if your were able to resolve this?

TIA

[ploxiln]

Cookie Signature not valid is the key here. GitHub provider probably has nothing to do with it.

If you get this, something is mangling or replacing your cookies. As @hollingsworthd suggested, using a custom cookie name may work-around this problem.

If you have multiple oauth2_proxy instances serving the same domain, and the same cookie, they will need the same cookie secret. If you do tricky things with multiple subdomains, you really have to know how everything works underneath, and inspect all requests and responses to debug.