Closed winweb123 closed 6 months ago
Oauth2 proxy config file apiVersion: v1 data: oauth2-proxy.cfg: |-
provider="keycloak"
provider_display_name="Keycloak"
login_url="http://keycloak.keycloak:8080/auth/realms/IPNM-Realm/protocol/openid-connect/auth"
redeem_url="http://keycloak.keycloak:8080/auth/realms/IPNM-Realm/protocol/openid-connect/token"
validate_url="http://keycloak.keycloak:8080/auth/realms/IPNM-Realm/protocol/openid-connect/userinfo"
profile_url="http://keycloak.keycloak:8080/auth/realms/IPNM-Realm/protocol/openid-connect/userinfo"
ssl_insecure_skip_verify=true
standard_logging=true
auth_logging=true
request_logging=true
set_xauthrequest=true
#skip_issuer_verification=true
# Client config
client_id="xx"
client_secret="xx"
cookie_secret="xxx"
#cookie_secure="false"
redirect_url="http://localhost/oauth2/callback"
#skip_jwt_bearer_tokens=true
# Upstream config
http_address="0.0.0.0:4180"
upstreams="http://localhost"
email_domains=["*"]
oidc_issuer_url="http://keycloak.keycloak:8080/auth/realms/IPNM-Realm"
cookie_domains=["localhost"]
scope="openid"
whitelist_domains=[".localhost:*"]
pass_authorization_header = true
pass_access_token = true
pass_user_headers = true
set_authorization_header = true
prefer_email_to_user = true
skip_auth_strip_headers = false
#session_store_type="redis"
#redis_connection_url="redis://10.108.104.57:6379"
kind: ConfigMap metadata: name: oauth2-proxy-config namespace: test
We are checking the developer tools - network tab to get these headers X-Auth-Request-Access-Token , X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username but not able to see them
Hi @winweb123,
I will need to understand how your architecture is designed?
Are you trying one of the following:
upstream behind oauth2-proxy
user -> oauth2-proxy -> upstream
upstream behind nginx using oauth2-proxy auth module
user
|
v
nginx ----> oauth2-proxy
|
v
upstream
upstream behind oauth2-proxy using nginx as a reverse-proxy
user -> nginx -> oauth2-proxy -> upstream
As your upstream you configured localhost with port 80. What is running on port 80?
Furthermore, never ever share your cookie or client secrets. Please redact them from the config you posted.
Hi @winweb123,
I will need to understand how your architecture is designed?
Are you trying one of the following:
- upstream behind oauth2-proxy
user -> oauth2-proxy -> upstream
- upstream behind nginx using oauth2-proxy auth module
user | v nginx ----> oauth2-proxy | v upstream
- upstream behind oauth2-proxy using nginx as a reverse-proxy
user -> nginx -> oauth2-proxy -> upstream
we are using 2nd option
As your upstream you configured localhost with port 80. What is running on port 80?
Application frontend is running in port 80
Thank you Jan .I have repied to the queries.
On Saturday, January 20, 2024, Jan Larwig @.***> wrote:
Hi @winweb123 https://github.com/winweb123,
I will need to understand how your architecture is designed?
Are you trying one of the following:
- upstream behind oauth2-proxy
user -> oauth2-proxy -> upstream
- upstream behind nginx using oauth2-proxy auth module
user v nginx ----> oauth2-proxy v upstream
- upstream behind oauth2-proxy using nginx as a reverse-proxy
user -> nginx -> oauth2-proxy -> upstream
— Reply to this email directly, view it on GitHub https://github.com/oauth2-proxy/oauth2-proxy/issues/2398#issuecomment-1901964574, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFPIVXN6PH7Y7SZZVU64Z23YPN7KRAVCNFSM6AAAAABCC3HVRWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBRHE3DINJXGQ . You are receiving this because you were mentioned.Message ID: @.***>
Please let us know if there is a solution for the same. We have also tried out the alpha configuration and request headers and response headers are still not populating
Hi @winweb123,
please share your nginx configuration.
The headers will he send to nginx and will need to configure nginx properly to forward the headers to your upstream.
Furthermore, you should not configure an upstream or just a static upstream like upstreams=["static://202"]
Your nginx only needs a response code for the auth_request module.
Additionally you are missing the reverse_proxy
flag. Which is necessary when running behind nginx or any other load balancer.
--reverse-proxy bool are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection
We are checking the developer tools - network tab to get these headers X-Auth-Request-Access-Token , X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username but not able to see them
As you are running oauth2-proxy behind nginx you are not supposed to see any of those headers in the browser communication. Unless you specifically configure nginx to do so.
we are using 2nd option
if you are really trying to build the second option you are using the wrong flags.
instead of usingpass_user_headers
, pass_access_token
, pass_authorization_header
you will need to use the following:
Flag | Type | Description |
---|---|---|
--set-xauthrequest | bool | set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with --pass-access-token, X-Auth-Request-Access-Token is added to response headers. |
--set-authorization-header | bool | set Authorization Bearer response header (useful in Nginx auth_request mode) |
--set-basic-auth | bool | set HTTP Basic Auth information in response (useful in Nginx auth_request mode) |
Thank you for the inputs . We are able to get the headers .
Hi, I am highly interested into the "second option" as well but I'm trying to do it with Caddy's forward_auth, which should be an equivalent to nginx's auth_request. Did you succeed to make it work ? If yes, could you please share your complete oauth2-proxy configuration ? Thanks in advance for any answer and have a great day
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
I'm struggling with this too. Also got option 2 and trying to pass the token(s) from azure provider to my backend after login so it can access an api with that token. No matter what options I try, the backend never recieves any auth-headers - only one (huge) cookie header that seems to contain data from the login process but I don't know what that is tbh ;)
OAuth2-Proxy Version
latest
Provider
keycloak
Current Behaviour of your Problem
We are using keycloak identity provider along with oauth2 proxy and nginx ingress controller.Authentication is successful and token validation is happening successfully but we are not able to get the access token and authorization headers even after setting the pass access token and pass authorization header flags in oauth2 proxy config file.We have also added the authorization in the ingress controller auth response headers annotations.Please let us know how to achieve the same.
Configuration details or additional information
oauth2 roxy config details
Steps To Reproduce
No response