Comments (3)
compgumby
commented on July 20, 2024
1
Although it's not quite 100% because I simply want a 401 and not a login screen if my user isn't logged in hitting my API, this solution got me quite far.
https://blog.devops.dev/securing-microservice-apis-with-oauth2-proxy-a-complete-project-71fabc79147d
However, oauth2-proxy, apparently, doesn't work well with Azure. There are a number of reddits and other things saying you're better off using oidc as a provider. There are some examples of that here:
1...666 is right. Oy.
from oauth2-proxy.
compgumby
commented on July 20, 2024
OK - I got some of this to work - but it's still not functional. This is what I changed:
docker-compose.yml
version: '3'
services:
proxy:
**image: bitnami/oauth2-proxy**
container_name: Auth
volumes:
- ./gateway-conf/oauth2_proxy.cfg:/etc/oauth2_proxy.cfg
networks:
- oauth2-network
ports:
- "4180:4180"
command:
- --http-address=:4180
- --config=/etc/oauth2_proxy.cfg
nginx:
image: containersdev.azurecr.io/servicesgateway:latest
container_name: Services.Gateway
volumes:
- ./gateway-conf.d/default.conf:/etc/nginx/conf.d/default.conf
networks:
- oauth2-network
ports:
- "5012:80"
depends_on:
- proxy
networks:
oauth2-network:
driver: bridge
default.conf
server {
listen 80;
listen [::]:80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
location /oauth2/ {
internal;
proxy_pass http://proxy:4180/oauth2/auth;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# staging_begin
location /api-staging/test/ {
auth_request /oauth2/;
error_page 401 = /404.html;
error_page 403 = /404.html;
proxy_pass http://10.0.0.4:5003/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# staging_end
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
oauth2_proxy.cfg
provider = "azure" client_id = "7..." client_secret = "k..." redirect_url = "http://localhost:4180/oauth2/callback" oidc_issuer_url = "https://login.microsoftonline.com/a...c/v2.0" cookie_secret = "1...=" email_domains = ["*"] reverse_proxy = true upstreams = ["http://localhost:80"] <--- deleted # Enable setting the authorization header set_authorization_header = true # Pass the authorization header pass_authorization_header = true # Pass user headers like X-Forwarded-User pass_user_headers = true # Set the X-Forwarded-* headers pass_host_header = true
At this point, nginx and oauth2-proxy are communicating. However, I can log into the nginx instance and issue the following curl command:
curl -H "Authorization: Bearer [token]" http://proxy:4180/oauth2/auth
Doing so results in "Unauthorized".
I have verified I have the correct scope in the token. I just don't know how to verify if it's reaching Azure or if the "Unauthorized" is the result of something else.
from oauth2-proxy.
sedghi
commented on July 20, 2024
I'm having almost similar error with keycloak + nginx + oauth2 proxy
from oauth2-proxy.
Related Issues (20)
- [Feature]: [Azure] Support certificate-based flow for requesting access token HOT 1
- [Feature]: Support for dry-run
- [Support]: failed to verify id token signature
- [Bug]: Setting `proxy-prefix` in helm seems to break login
- [Bug]: Azure provider: problem with ProfileURL/ userInfoURL (duplicate of closed issue #2162 ) HOT 3
- [Support]: <Keycloak-OIDC failed> HOT 1
- [Bug]: GitHub private repo check throwing 500 instead of 403 when user does not have access
- [Bug]: Keycloak OIDC Provider Multiple Calls to Fetch Keys to Verify JWT in Auth Header
- [Support]: Add scope field inside bearer token
- [Support]: How to configure oauth2 with kubernetes HOT 1
- [Bug]: wait-for-redis fails to detect redis with default image HOT 3
- [Support]: Connection refused to Keycloak instance running in the separate container
- [Bug]: Alpha-configuration environment variables are not being replaced HOT 1
- [Bug]: local-environment example for keycloak does not run HOT 1
- [--cookie-secret-file option]: new option to ease cookie-secret rotation HOT 1
- [Bug]: CVE-2024-24786 google.golang.org/protobuf HOT 1
- [Bug]: CVE-2023-45288 golang.org/x/net HOT 3
- [Bug]: CVE-2023-45288 github.com/go-jose/go-jose/v3 HOT 2
- [upstream with basic auth]: upstream may require basic auth HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oauth2-proxy.