search

bitly / oauth2_proxy

A reverse proxy that provides authentication with Google, Github or other provider
MIT License
5.1k stars 1.21k forks source link

github_org returning empty user #599

Open adamwolfe-tc opened 6 years ago

adamwolfe-tc commented 6 years ago

I'm working on enabling oauth2 via github for some kibana nodes behind nginx in auth-request mode.

My oath.cfg looks like so:

upstreams = [
   "file:///dev/null"
]
request_logging = true
email_domains = ["*"]
client_id = "< client id >"
client_secret = "< client secret >"
cookie_name = "_oauth2_proxy_< my hostname >"
cookie_secret = "< my cookie secret >"
cookie_expire = "1h"
cookie_refresh = "1m"
cookie_secure = false
cookie_httponly = true
provider = "github"
github_org = "< my org >"

and my nginx config:

   listen 80;
   server_name < hostname >;

   location /oauth2/ {
     proxy_pass       http://127.0.0.1:4180;
     proxy_set_header Host                    $host;
     proxy_set_header X-Real-IP               $remote_addr;
     proxy_set_header X-Scheme                $scheme;
     proxy_set_header X-Auth-Request-Redirect $request_uri;
   }

   location = /oauth2/auth {
     proxy_pass       http://127.0.0.1:4180;
     proxy_set_header Host             $host;
     proxy_set_header X-Real-IP        $remote_addr;
     proxy_set_header X-Scheme         $scheme;
     proxy_set_header Content-Length   "";
     proxy_pass_request_body           off;
   }

   location / {
     auth_request /oauth2/auth;
     error_page 401 = /oauth2/sign_in;

     auth_request_set $user   $upstream_http_x_auth_request_user;
     auth_request_set $email  $upstream_http_x_auth_request_email;
     proxy_set_header X-User  $user;
     proxy_set_header X-Email $email;

     auth_request_set $auth_cookie $upstream_http_set_cookie;
     add_header Set-Cookie $auth_cookie;

     proxy_pass http://localhost:5601;
     proxy_http_version 1.1;
     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection 'upgrade';
     proxy_set_header Host $host;
     proxy_set_header es-security-runas-user $http_x_forwarded_user;
     proxy_set_header Authorization "Basic < some base64 stuff to get into kibana >";

   }
}

When I attempt to log in I am sent to github, enter my u/p and then am given a 403 with the below message that contains nothing about my account:

2018/05/23 21:53:05 oauthproxy.go:566: 127.0.0.1:56828 ("my_Ip") Permission Denied: "" is unauthorized
2018/05/23 21:53:05 oauthproxy.go:349: ErrorPage 403 Permission Denied Invalid Account

when I remove github_org from my oauth.cfg I am able to get to kibana just fine and see plenty of info about my account in the output:

2018/05/23 21:52:08 oauthproxy.go:557: 127.0.0.1:56252 ("my_ip") authentication complete Session{< my email > token:true}

What am I missing here that will get the github_org restrictions working?