[Support]: Issue in getting the authorization header in request/response

[winweb123]

OAuth2-Proxy Version

latest

Provider

keycloak

Current Behaviour of your Problem

We are using keycloak identity provider along with oauth2 proxy and nginx ingress controller.Authentication is successful and token validation is happening successfully but we are not able to get the access token and authorization headers even after setting the pass access token and pass authorization header flags in oauth2 proxy config file.We have also added the authorization in the ingress controller auth response headers annotations.Please let us know how to achieve the same.

Configuration details or additional information

oauth2 roxy config details

Steps To Reproduce

No response

[winweb123]

Oauth2 proxy config file apiVersion: v1 data: oauth2-proxy.cfg: |-

Provider config

provider="keycloak"
provider_display_name="Keycloak"
login_url="http://keycloak.keycloak:8080/auth/realms/IPNM-Realm/protocol/openid-connect/auth"
redeem_url="http://keycloak.keycloak:8080/auth/realms/IPNM-Realm/protocol/openid-connect/token"
validate_url="http://keycloak.keycloak:8080/auth/realms/IPNM-Realm/protocol/openid-connect/userinfo"
profile_url="http://keycloak.keycloak:8080/auth/realms/IPNM-Realm/protocol/openid-connect/userinfo"
ssl_insecure_skip_verify=true
standard_logging=true
auth_logging=true
request_logging=true
set_xauthrequest=true
#skip_issuer_verification=true
# Client config
client_id="xx"
client_secret="xx"
cookie_secret="xxx"
#cookie_secure="false"
redirect_url="http://localhost/oauth2/callback"
#skip_jwt_bearer_tokens=true
# Upstream config
http_address="0.0.0.0:4180"
upstreams="http://localhost"
email_domains=["*"]
oidc_issuer_url="http://keycloak.keycloak:8080/auth/realms/IPNM-Realm"
cookie_domains=["localhost"]
scope="openid"
whitelist_domains=[".localhost:*"]
pass_authorization_header = true
pass_access_token = true
pass_user_headers = true
set_authorization_header = true
prefer_email_to_user = true
skip_auth_strip_headers = false
#session_store_type="redis"
#redis_connection_url="redis://10.108.104.57:6379"

kind: ConfigMap metadata: name: oauth2-proxy-config namespace: test

[winweb123]

We are checking the developer tools - network tab to get these headers X-Auth-Request-Access-Token , X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username but not able to see them

[tuunit]

Hi @winweb123,

I will need to understand how your architecture is designed?

Are you trying one of the following:

1. upstream behind oauth2-proxy

   user -> oauth2-proxy -> upstream

2. upstream behind nginx using oauth2-proxy auth module

   user
   |
   v
   nginx ----> oauth2-proxy
   |
   v
   upstream

3. upstream behind oauth2-proxy using nginx as a reverse-proxy

   user -> nginx -> oauth2-proxy -> upstream

[tuunit]

As your upstream you configured localhost with port 80. What is running on port 80?

[tuunit]

Furthermore, never ever share your cookie or client secrets. Please redact them from the config you posted.

[winweb123]

Hi @winweb123,

I will need to understand how your architecture is designed?

Are you trying one of the following:

1. upstream behind oauth2-proxy

user -> oauth2-proxy -> upstream

2. upstream behind nginx using oauth2-proxy auth module

user
|
v
nginx ----> oauth2-proxy
|
v
upstream

3. upstream behind oauth2-proxy using nginx as a reverse-proxy

user -> nginx -> oauth2-proxy -> upstream

we are using 2nd option

[winweb123]

As your upstream you configured localhost with port 80. What is running on port 80?

Application frontend is running in port 80

[winweb123]

Thank you Jan .I have repied to the queries.

On Saturday, January 20, 2024, Jan Larwig @.***> wrote:

Hi @winweb123 https://github.com/winweb123,

I will need to understand how your architecture is designed?

Are you trying one of the following:

1. upstream behind oauth2-proxy

user -> oauth2-proxy -> upstream

1. upstream behind nginx using oauth2-proxy auth module

user	v nginx ----> oauth2-proxy

v upstream

1. upstream behind oauth2-proxy using nginx as a reverse-proxy

user -> nginx -> oauth2-proxy -> upstream

— Reply to this email directly, view it on GitHub https://github.com/oauth2-proxy/oauth2-proxy/issues/2398#issuecomment-1901964574, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFPIVXN6PH7Y7SZZVU64Z23YPN7KRAVCNFSM6AAAAABCC3HVRWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMBRHE3DINJXGQ . You are receiving this because you were mentioned.Message ID: @.***>

[winweb123]

Please let us know if there is a solution for the same. We have also tried out the alpha configuration and request headers and response headers are still not populating

[tuunit]

Hi @winweb123,

please share your nginx configuration.

The headers will he send to nginx and will need to configure nginx properly to forward the headers to your upstream.

[tuunit]

Furthermore, you should not configure an upstream or just a static upstream like upstreams=["static://202"]

Your nginx only needs a response code for the auth_request module.

Additionally you are missing the reverse_proxy flag. Which is necessary when running behind nginx or any other load balancer.

--reverse-proxy bool are we running behind a reverse proxy, controls whether headers like X-Real-IP are accepted and allows X-Forwarded-{Proto,Host,Uri} headers to be used on redirect selection

[tuunit]

We are checking the developer tools - network tab to get these headers X-Auth-Request-Access-Token , X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username but not able to see them

As you are running oauth2-proxy behind nginx you are not supposed to see any of those headers in the browser communication. Unless you specifically configure nginx to do so.

[tuunit]

we are using 2nd option

if you are really trying to build the second option you are using the wrong flags.

instead of usingpass_user_headers, pass_access_token, pass_authorization_header you will need to use the following:

Flag	Type	Description
--set-xauthrequest	bool	set X-Auth-Request-User, X-Auth-Request-Groups, X-Auth-Request-Email and X-Auth-Request-Preferred-Username response headers (useful in Nginx auth_request mode). When used with --pass-access-token, X-Auth-Request-Access-Token is added to response headers.
--set-authorization-header	bool	set Authorization Bearer response header (useful in Nginx auth_request mode)
--set-basic-auth	bool	set HTTP Basic Auth information in response (useful in Nginx auth_request mode)

[winweb123]

Thank you for the inputs . We are able to get the headers .

[LeVraiRoiDHyrule]

Hi, I am highly interested into the "second option" as well but I'm trying to do it with Caddy's forward_auth, which should be an equivalent to nginx's auth_request. Did you succeed to make it work ? If yes, could you please share your complete oauth2-proxy configuration ? Thanks in advance for any answer and have a great day

[github-actions[bot]]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[TrevorOchmonek]

I'm struggling with this too. Also got option 2 and trying to pass the token(s) from azure provider to my backend after login so it can access an api with that token. No matter what options I try, the backend never recieves any auth-headers - only one (huge) cookie header that seems to contain data from the login process but I don't know what that is tbh ;)