Generic OAUTH, AUTH_HOST - problems with Nextcloud

[sgofferj]

Not sure if that's a bug or if I'm missing anything. I have been trying to debug for hours... Without AUTH_HOST I can make it work fine but not with AUTH_HOST. I have set up the whoami example with AUTH_HOST and my nextcloud server. I'm using the :latest tagged docker image.

What happens is: Got to https://whoami.domain.com Nextcloud warning page about security - click OK Nextcloud grant access page - click Grant access Nextcloud grant access page again - click Grant access again Nextcloud page with "Access denied. State token does not match" message. Manually go to whoami.domain.com -> Authenticated, seeing all info.

Log:

time="2022-02-15T12:33:19Z" level=debug msg="Authenticating request" cookies="[_forward_auth_csrf_d1a755=d1a7555bc066f7f40dc03279a7adfd1c]" handler=Auth host=whoami.domain.com method=GET proto=https rule=default source_ip=192.168.10.1 uri=/
time="2022-02-15T12:33:19Z" level=debug msg="Set CSRF cookie and redirected to provider login url" csrf_cookie="_forward_auth_csrf_4563b8=4563b8631d42b3a5c5acf5abd1b8b85c; Path=/; Domain=domain.com; Expires=Tue, 15 Feb 2022 13:33:19 GMT; HttpOnly; Secure" handler=Auth host=whoami.domain.com login_url="https://cloud.domain.com/apps/oauth2/authorize?client_id=SV2uJab69dg5zQ0PIXBAYCd6lQgk8KAb3qIgIdbwE0fqxiZ1eF69f7UUMvY8Swv5&redirect_uri=https%3A%2F%2Fauth.domain.com%2F_oauth&response_type=code&scope=profile+email&state=4563b8631d42b3a5c5acf5abd1b8b85c%3Ageneric-oauth%3Ahttps%3A%2F%2Fwhoami.domain.com%2F" method=GET proto=https rule=default source_ip=192.168.10.1 uri=/
time="2022-02-15T12:33:26Z" level=debug msg="Handling callback" cookies="[_forward_auth_csrf_d1a755=d1a7555bc066f7f40dc03279a7adfd1c _forward_auth_csrf_4563b8=4563b8631d42b3a5c5acf5abd1b8b85c]" handler=AuthCallback host=auth.domain.com method= proto=https rule=default source_ip=192.168.10.1 uri=
time="2022-02-15T12:33:27Z" level=info msg="Successfully generated auth cookie, redirecting user." handler=AuthCallback host=auth.domain.com method= proto=https provider=generic-oauth redirect="https://whoami.domain.com/" rule=default source_ip=192.168.10.1 uri= user=
time="2022-02-15T12:33:35Z" level=debug msg="Authenticating request" cookies="[_forward_auth_csrf_d1a755=d1a7555bc066f7f40dc03279a7adfd1c _forward_auth=7gh5h4oX5BB7mGMlbR-4gMnyR7LvB-tBT7nex4Kmwb0=|1644971607|]" handler=Auth host=whoami.domain.com method=GET proto=https rule=default source_ip=192.168.10.1 uri=/
time="2022-02-15T12:33:35Z" level=debug msg="Allowing valid request" handler=Auth host=whoami.domain.com method=GET proto=https rule=default source_ip=192.168.10.1 uri=/
time="2022-02-15T12:33:35Z" level=debug msg="Authenticating request" cookies="[_forward_auth_csrf_d1a755=d1a7555bc066f7f40dc03279a7adfd1c _forward_auth=7gh5h4oX5BB7mGMlbR-4gMnyR7LvB-tBT7nex4Kmwb0=|1644971607|]" handler=Auth host=whoami.domain.com method=GET proto=https rule=default source_ip=192.168.10.1 uri=/favicon.ico
time="2022-02-15T12:33:35Z" level=debug msg="Allowing valid request" handler=Auth host=whoami.domain.com method=GET proto=https rule=default source_ip=192.168.10.1 uri=/favicon.ico

docker-compose.yml:

version: '2'

services:
  traefik:
    container_name: traefik
    image: traefik:v2.4
    restart: always
    extra_hosts:
      - "host.docker.internal:172.17.0.1"
    ports:
      - "192.168.10.201:80:80"
      - "192.168.10.201:443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /storage/docker/traefik/acme.json:/etc/traefik/acme/acme.json
      - /storage/docker/traefik/traefik.toml:/etc/traefik/traefik.toml
      - /storage/docker/traefik/dynconf:/etc/traefik/dynamic
      - /etc/letsencrypt/live/domain.com/fullchain.pem:/etc/traefik/domain_fullchain.pem
      - /etc/letsencrypt/live/domain.com/privkey.pem:/etc/traefik/domain_privkey.pem
    networks:
      - web_services
    labels:
      - co.elastic.logs/module=traefik
      - co.elastic.logs/fileset.stdout=access
      - co.elastic.logs/fileset.stderr=error

  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:latest
    environment:
      - SECRET=very-secret
      - DEFAULT_PROVIDER=generic-oauth
      - PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://cloud.domain.com/apps/oauth2/authorize
      - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=https://cloud.domain.com/apps/oauth2/api/v1/token
      - PROVIDERS_GENERIC_OAUTH_USER_URL=https://cloud.domain.com/ocs/v2.php/cloud/user?format=json
      - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=nc-client-id
      - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=nc_client_secret
      - AUTH_HOST=auth.domain.com
      - COOKIE_DOMAIN=domain.com
      - LOG_LEVEL=debug
    networks:
      - web_services
    labels:
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"
      - "traefik.enable=true"
      - "traefik.docker.network=web_services"
      - "traefik.http.routers.oauth.entrypoints=websecure"
      - "traefik.http.routers.oauth.rule=Host(`auth.domain.com`)"
      - "traefik.http.routers.oauth.tls=true"
      - "traefik.http.routers.oauth.tls.domains[0].main=auth.domain.com"
      - "traefik.http.routers.oauth.middlewares=hsts@file"

  whoami:
    image: containous/whoami
    networks:
      - web_services
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=web_services"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.rule=Host(`whoami.domain.com`)"
      - "traefik.http.routers.whoami.tls=true"
      - "traefik.http.routers.whoami.tls.domains[0].main=whoami.domain.com"
      - "traefik.http.routers.whoami.middlewares=hsts@file"
      - "traefik.http.routers.whoami.middlewares=traefik-forward-auth"

networks:
  web_services:
    external:
      name: web_services

Callback URL in NC OAUTH client settings: https://auth.domain.com/_oauth

[r2evans]

@sgofferj did you ever get this working? I'm trying now, using

  traefik-forward-auth:
    image: thomseddon/traefik-forward-auth:2
    environment:
      - DEFAULT_PROVIDER=generic-oauth
      - PROVIDERS_GENERIC_OAUTH_AUTH_URL=https://..../apps/oauth2/authorize
      - PROVIDERS_GENERIC_OAUTH_TOKEN_URL=https://..../apps/oauth2/api/v1/token
      - PROVIDERS_GENERIC_OAUTH_USER_URL=https://..../ocs/v2.php/cloud/user?format=json
      - PROVIDERS_GENERIC_OAUTH_CLIENT_ID=....
      - PROVIDERS_GENERIC_OAUTH_CLIENT_SECRET=....
      - SECRET=....
      # - INSECURE_COOKIE=true # Example assumes no https, do not use in production
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik-forward-auth.tls=true"
      - "traefik.http.routers.traefik-forward-auth.rule=Host(`....`) && PathPrefix(`/someauth`)"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.address=http://traefik-forward-auth:4181"
      - "traefik.http.middlewares.traefik-forward-auth.forwardauth.authResponseHeaders=X-Forwarded-User"
      - "traefik.http.services.traefik-forward-auth.loadbalancer.server.port=4181"

[sgofferj]

@r2evans Unfortunately not. Using Authentik since a while.

[r2evans]

@sgofferj is that using NC as the provider, or did you convert NC to use Authentik as the provider?

[sgofferj]

Authentik is the backend now. For services that don't speak OIDC, I use the Authentik proxy worker instead of forward auth.