search

oauth2-proxy / manifests

For hosting manifests to allow for the deployment of OAuth2-Proxy/OAuth2-Proxy
Apache License 2.0
172 stars 155 forks source link

[Bug]: Setting `proxy-prefix` in helm seems to break login #222

Open adam-long opened 6 months ago

adam-long commented 6 months ago

OAuth2-Proxy Version

7.6

Provider

keycloak-oidc

Expected Behaviour

Same behavior as using default oauth2 proxy-prefix.

Current Behaviour

Attempting to login to an ingress using oauth2proxy as a defined prefix results in a 403 error page from nginx.

Steps To Reproduce

  1. Set oauth2-proxy.extraArgs.proxy-prefix: "oauth2proxy"
  2. Set the oauth2-proxy Ingress path to "/oauth2proxy"
  3. Set Ingress for protected resource (I used a basic nginx deployment with the stock Hello World HTML for testing) to use "/oauth2proxy" instead of default "/oauth2"
  4. Deploy resources
  5. Visit resource defined in step 3 in web browser
  6. Receive 403 Forbidden from the Ingress NGINX without attempt to login.

Possible Solutions

No response

Configuration details or additional information

I'm attempting to deploy oauth2-proxy using Helm on the same hostname that has another application already using /oauth2, so I'm attempting to change the prefix used by oauth2-proxy. My setup is pretty simple for Kubernetes - I have a basic Keycloak (23.0.6), NGINIX Ingress, oauth2-proxy, and a basic nginx deployment displaying the stock welcome message.

I'm attempting to protect the basic nginx deployment using oauth2-proxy. I have it working using the default proxy-prefix of /oauth2, but if I make the modifications in the "step to reproduce", I end up with a 403 error message and no attempt to login to send to Keycloak for authentication.

I've removed the conflicting application in an attempt to get this to work and reduced it down to only ingress, keycloak, oauth2-proxy, and the basic nginx deployment.

Looking at the logs for the ingress pod as well as oauth2-proxy, they register the 403 result, but that's it. It's not clear to me what else I need to configure in order to change the prefix for oauth2-proxy.

github-actions[bot] commented 4 months ago

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

pierluigilenoci commented 4 months ago

@adam-long, can you attach the deployment manifest produced with your configuration to this issue?

pierluigilenoci commented 3 months ago

@JoelSpeed, the extraArgs are passed without modifications or processing. So it can't be a chart issue. Because otherwise, none of them would work. Ref: https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/deployment.yaml#L126-L139 So, please transfer the issue back. 🙏🏻

@adam-long Sorry, but I can't help you more. If the issue is not transferred back to the correct repo, I suggest you reopen it by increasing the configuration details and making it explicit that it is not a chart problem. Using the word "helm" in the title has shifted attention away from the problem. 🤷🏻‍♂️

adam-long commented 3 months ago

Thanks for looking at it @pierluigilenoci - this dropped off my plate. I'll try to pick it back up again and see if I can give you a bit more info.