Empty email field in cookie when providing whitelist

[JDouven]

I'm having an issue with the whitelist. When supplying emails for the whitelist, the email field of the cookie is empty. When I dont supply anything for the WHITELIST environment variable, I can login just fine. It also doesn't work if I supply only one email for the whitelist.

I'm using Google as my provider. One of my friends has the same config but it works for him. No idea what's going on.

I have read most other issues concerning the whitelist but have not seen this specific case.

My docker-compose

oauth:
    image: thomseddon/traefik-forward-auth:2.2.0-arm
    container_name: oauth
    networks:
      - traefik-public
    environment:
      - CLIENT_ID=$GOOGLE_CLIENT_ID
      - CLIENT_SECRET=$GOOGLE_CLIENT_SECRET
      - SECRET=$OAUTH_SECRET
      - COOKIE_DOMAIN=$DOMAINNAME
      - INSECURE_COOKIE=false
      - AUTH_HOST=oauth.$DOMAINNAME
      - URL_PATH=/_oauth
      #it works after commenting below line
      - WHITELIST=myemail1@example.com,myemail2@example.com,myemail3@example.com 
      - LOG_LEVEL=debug
      - LOG_FORMAT=text
      - LIFETIME=2592000 # 30 days
      - TZ=Europe/Amsterdam
    labels:
      - traefik.enable=true
      # Routers
      - traefik.http.routers.oauth.entrypoints=https
      - traefik.http.routers.oauth.rule=Host(`oauth.$DOMAINNAME`)
      - traefik.http.routers.oauth.tls=true
      # Services
      - traefik.http.services.oauth-service.loadbalancer.server.port=4181
      # Middleware
      - traefik.http.routers.oauth.middlewares=chain-oauth@file

Log from startup until a login attempt

time="2020-09-07T20:03:45Z" level=debug msg="Starting with config" config="{\"LogLevel\":\"debug\",\"LogFormat\":\"text\",\"AuthHost\":\"oauth.example.com\",\"CookieDomains\":[{\"Domain\":\"example.com\",\"DomainLen\":14,\"SubDomain\":\".example.com\",\"SubDomainLen\":15}],\"InsecureCookie\":false,\"CookieName\":\"_forward_auth\",\"CSRFCookieName\":\"_forward_auth_csrf\",\"DefaultAction\":\"auth\",\"DefaultProvider\":\"google\",\"Domains\":null,\"LifetimeString\":2592000,\"LogoutRedirect\":\"\",\"MatchWhitelistOrDomain\":false,\"Path\":\"/_oauth\",\"Whitelist\":[\"myemail1@example.com\",\"myemail2@example.com\",\"myemail3@example.com\"],\"Providers\":{\"Google\":{\"ClientID\":\"{{my-client-id}}",\"Scope\":\"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email\",\"Prompt\":\"select_account\",\"LoginURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"accounts.google.com\",\"Path\":\"/o/oauth2/auth\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"TokenURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v3/token\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"UserURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v2/userinfo\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"}},\"OIDC\":{\"IssuerURL\":\"\",\"ClientID\":\"\",\"Resource\":\"\",\"Config\":null},\"GenericOAuth\":{\"AuthURL\":\"\",\"TokenURL\":\"\",\"UserURL\":\"\",\"ClientID\":\"\",\"Scopes\":[\"profile\",\"email\"],\"TokenStyle\":\"header\",\"Resource\":\"\",\"Config\":null}},\"Rules\":{},\"Lifetime\":2592000000000000,\"CookieDomainsLegacy\":null,\"CookieSecureLegacy\":\"\",\"ClientIdLegacy\":\"{{my-client-id}}",\"PromptLegacy\":\"\"}",
time="2020-09-07T20:03:46Z" level=info msg="Listening on :4181",
time="2020-09-07T20:08:25Z" level=debug msg="Authenticating request" cookies="[]" handler=Auth host=traefik.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri=/,
time="2020-09-07T20:08:25Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf=f2a369b43ec123a049ce0920e3f474b4; Path=/; Domain=example.com; Expires=Wed, 07 Oct 2020 20:08:25 GMT; HttpOnly; Secure" handler=Auth host=traefik.example.com login_url="https://accounts.google.com/o/oauth2/auth?client_id={{my-client-id}}&prompt=select_account&redirect_uri=https%3A%2F%2Foauth.example.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=f2a369b43ec123a049ce0920e3f474b4%3Agoogle%3Ahttps%3A%2F%2Ftraefik.example.com%2F" method=GET proto=https rule=default source_ip=192.168.1.10 uri=/,
time="2020-09-07T20:08:42Z" level=debug msg="Handling callback" cookies="[_forward_auth_csrf=f2a369b43ec123a049ce0920e3f474b4]" handler=AuthCallback host=oauth.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri="/_oauth?state=f2a369b43ec123a049ce0920e3f474b4%3Agoogle%3Ahttps%3A%2F%2Ftraefik.example.com%2F&code=4%2F3wG3a8Eun8uA_R0vp901K0hxK6BnpD39oURZuBpHv85Rby07qx6r_mT6VKrrG9odDOVF-aNWZyVLRPp4LXFE-O8&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent",
time="2020-09-07T20:08:43Z" level=info msg="Successfully generated auth cookie, redirecting user." handler=AuthCallback host=oauth.example.com method=GET proto=https provider=google redirect="https://traefik.example.com/" rule=default source_ip=192.168.1.10 uri="/_oauth?state=f2a369b43ec123a049ce0920e3f474b4%3Agoogle%3Ahttps%3A%2F%2Ftraefik.example.com%2F&code=4%2F3wG3a8Eun8uA_R0vp901K0hxK6BnpD39oURZuBpHv85Rby07qx6r_mT6VKrrG9odDOVF-aNWZyVLRPp4LXFE-O8&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent" user=,
time="2020-09-07T20:08:43Z" level=debug msg="Authenticating request" cookies="[_forward_auth=RPLzet-yKAXwot1QZKWBtGtqZ4Oi4zYhsQOFxIX5YfE=|1602101323|]" handler=Auth host=traefik.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri=/,
time="2020-09-07T20:08:43Z" level=warning msg="Invalid email" email= handler=Auth host=traefik.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri=/,


time="2020-09-07T20:08:43Z" level=debug msg="Authenticating request" cookies="[_forward_auth=RPLzet-yKAXwot1QZKWBtGtqZ4Oi4zYhsQOFxIX5YfE=|1602101323|]" handler=Auth host=traefik.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri=/favicon.ico,
time="2020-09-07T20:08:43Z" level=warning msg="Invalid email" email= handler=Auth host=traefik.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri=/favicon.ico,

[thomseddon]

Hmm, are you 100% sure that the email address you're logging in with is exactly the same as the email address in the whitelist? If they look the same, could you try logging in via an incognito window with just a single email address in the whitelist?

[JDouven]

I've tried logging in the way you suggested. I still get a "Not authorized" error. Now this is my log. (Looks the same as above to me)

Also, I'm 100% sure the email address is correct.

time="2020-09-23T14:22:13Z" level=debug msg="Starting with config" config="{\"LogLevel\":\"debug\",\"LogFormat\":\"text\",\"AuthHost\":\"oauth.example.com\",\"CookieDomains\":[{\"Domain\":\"example.com\",\"DomainLen\":14,\"SubDomain\":\".example.com\",\"SubDomainLen\":15}],\"InsecureCookie\":false,\"CookieName\":\"_forward_auth\",\"CSRFCookieName\":\"_forward_auth_csrf\",\"DefaultAction\":\"auth\",\"DefaultProvider\":\"google\",\"Domains\":null,\"LifetimeString\":2592000,\"LogoutRedirect\":\"\",\"MatchWhitelistOrDomain\":false,\"Path\":\"/_oauth\",\"Whitelist\":[\"my-email@gmail.com\"],\"Providers\":{\"Google\":{\"ClientID\":\"{{my-client-id}}",\"Scope\":\"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email\",\"Prompt\":\"select_account\",\"LoginURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"accounts.google.com\",\"Path\":\"/o/oauth2/auth\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"TokenURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v3/token\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"UserURL\":{\"Scheme\":\"https\",\"Opaque\":\"\",\"User\":null,\"Host\":\"www.googleapis.com\",\"Path\":\"/oauth2/v2/userinfo\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"}},\"OIDC\":{\"IssuerURL\":\"\",\"ClientID\":\"\",\"Resource\":\"\",\"Config\":null},\"GenericOAuth\":{\"AuthURL\":\"\",\"TokenURL\":\"\",\"UserURL\":\"\",\"ClientID\":\"\",\"Scopes\":[\"profile\",\"email\"],\"TokenStyle\":\"header\",\"Resource\":\"\",\"Config\":null}},\"Rules\":{},\"Lifetime\":2592000000000000,\"CookieDomainsLegacy\":null,\"CookieSecureLegacy\":\"\",\"ClientIdLegacy\":\"{{my-client-id}}",\"PromptLegacy\":\"\"}",
time="2020-09-23T14:22:13Z" level=info msg="Listening on :4181",
time="2020-09-23T14:22:53Z" level=debug msg="Authenticating request" cookies="[]" handler=Auth host=traefik.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri=/,
time="2020-09-23T14:22:53Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf=6a1be8bb187016d7cf0965f57c8e9bcc; Path=/; Domain=example.com; Expires=Fri, 23 Oct 2020 14:22:53 GMT; HttpOnly; Secure" handler=Auth host=traefik.example.com login_url="https://accounts.google.com/o/oauth2/auth?client_id={{my-client-id}}&prompt=select_account&redirect_uri=https%3A%2F%2Foauth.example.com%2F_oauth&response_type=code&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email&state=6a1be8bb187016d7cf0965f57c8e9bcc%3Agoogle%3Ahttps%3A%2F%2Ftraefik.example.com%2F" method=GET proto=https rule=default source_ip=192.168.1.10 uri=/,
time="2020-09-23T14:23:09Z" level=debug msg="Handling callback" cookies="[_forward_auth_csrf=6a1be8bb187016d7cf0965f57c8e9bcc]" handler=AuthCallback host=oauth.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri="/_oauth?state=6a1be8bb187016d7cf0965f57c8e9bcc%3Agoogle%3Ahttps%3A%2F%2Ftraefik.example.com%2F&code=4%2F4QEe7MMYFqXqtEAOV1k-Wy26GRW5J59WVPCdD7Y1_xl_o8HPocq31yfftIAPlvqY41XS1aG3O5CKHo6KDDcbp6E&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent",
time="2020-09-23T14:23:14Z" level=info msg="Successfully generated auth cookie, redirecting user." handler=AuthCallback host=oauth.example.com method=GET proto=https provider=google redirect="https://traefik.example.com/" rule=default source_ip=192.168.1.10 uri="/_oauth?state=6a1be8bb187016d7cf0965f57c8e9bcc%3Agoogle%3Ahttps%3A%2F%2Ftraefik.example.com%2F&code=4%2F4QEe7MMYFqXqtEAOV1k-Wy26GRW5J59WVPCdD7Y1_xl_o8HPocq31yfftIAPlvqY41XS1aG3O5CKHo6KDDcbp6E&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=0&prompt=consent" user=,
time="2020-09-23T14:23:14Z" level=debug msg="Authenticating request" cookies="[_forward_auth=bBAN1F34PtMe4CkmFuV2YpczXMMg9xOTtQY9Mydsf4M=|1603462994|]" handler=Auth host=traefik.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri=/,
time="2020-09-23T14:23:14Z" level=warning msg="Invalid email" email= handler=Auth host=traefik.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri=/,


time="2020-09-23T14:23:14Z" level=debug msg="Authenticating request" cookies="[_forward_auth=bBAN1F34PtMe4CkmFuV2YpczXMMg9xOTtQY9Mydsf4M=|1603462994|]" handler=Auth host=traefik.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri=/favicon.ico,
time="2020-09-23T14:23:14Z" level=warning msg="Invalid email" email= handler=Auth host=traefik.example.com method=GET proto=https rule=default source_ip=192.168.1.10 uri=/favicon.ico,

[thomseddon]

Could you try running the latest 2.2.0 version? I added a bit more logging in 2.1 so we should now be able to see the exact address being parsed: https://github.com/thomseddon/traefik-forward-auth/blob/c19f622fbdac74a959477f8f2b8bdc712754e1c9/internal/server.go#L106

[JDouven]

Would it be possible to update the build for arm as well? I'm running it all on a Raspberry Pi so I'm dependent on the arm builds. It does not appear to be updated yet on dockerhub.

[thomseddon]

Yep, I'm targeting this for 2.3

[BattleBiscuit]

I have the same behaviour today. time="2024-07-30T07:25:54Z" level=warning msg="Invalid email" email= handler=Auth host=whoami.*****.de method=GET proto=http rule=default source_ip=******** uri=/ Get this Logging when using whitelist and when using domain. Both have an empty mail field.

Tested with latest docker image for Google oAuth.

When not setting up one of the two env vars the Authentification works as expected.